Cyber Security Presentation - FSI-INC
Download
Report
Transcript Cyber Security Presentation - FSI-INC
Hack-a-thon Results and Cyber Risk
The Evolving Landscape
Brian Denny, Security Audit Lead
December 3, 2015
Salient Proprietary | www.salientcommercial.com
1
Agenda
•
•
•
•
•
Burning question
Our “Hack-a-thon” experience
What we learned
Technical tips for resolution
Business tips for resolution
Salient Proprietary | www.salientcommercial.com
2
Our Burning Question…
Why isn’t our industry – especially small to
midsized carriers – more proactive when it
comes to cyber security?
Salient Proprietary | www.salientcommercial.com
3
Our Burning Question…
May 2014
233 million
credentials and
PII
Salient Proprietary | www.salientcommercial.com
4
Our Burning Question…
June 2014
2.6 million
debit/credit
cards
Salient Proprietary | www.salientcommercial.com
5
Our Burning Question…
June 2014
4.5 million SSN
and personal
data
Salient Proprietary | www.salientcommercial.com
6
Our Burning Question…
August 2014
76 million
consumers, 7
million small
businesses
Salient Proprietary | www.salientcommercial.com
7
Our Burning Question…
September 2014
56 million
debit/credit
cards
Salient Proprietary | www.salientcommercial.com
8
Our Burning Question…
October 2014
1.2 million credit
cards
Salient Proprietary | www.salientcommercial.com
9
Our Burning Question…
November 2014
Emails and
personnel data
Salient Proprietary | www.salientcommercial.com
10
Our Burning Question…
February 2015
80 million
customers’ PII
Salient Proprietary | www.salientcommercial.com
11
Our Burning Question…
March 2015
11 million
financial and
medical records
Salient Proprietary | www.salientcommercial.com
12
Our Burning Question…
XX 22.1
4.2
XX million
OPM security files
Employees
Applicants
Family/Friends
References
PII
Mental health info
Drug/alcohol use
1.1M fingerprints
Salient Proprietary | www.salientcommercial.com
13
Our Burning Question…
Over 70% of companies do not disclose breaches
It’s no longer a question of IF but WHEN
you will have a cyber incident
Salient Proprietary | www.salientcommercial.com
14
Most Common Responses
•
•
•
•
•
Higher priorities (both business and IT)
Budget and resource constraints
How do I begin? Where do I start?
Hackers wouldn’t be interested in our company
We took care of that last year
• Ongoing
• Evolving
• Persistent
Salient Proprietary | www.salientcommercial.com
15
Most Common Responses
• IT handles that
Cyber security is NOT an IT issue!
Protecting the company and its data is a business risk
management responsibility
•
•
•
•
Fiduciary
Liability
Public Relations/Reputation
Consumer confidence
Salient Proprietary | www.salientcommercial.com
16
What can we do?
• How can we
demonstrate the
need for urgency?
• What if we
convinced 10
insurance
companies to let
us try to hack into
their systems?
Salient Proprietary | www.salientcommercial.com
17
Who participated?
• Wide range of companies
•
•
•
•
Personal, Commercial, Workers’ Comp, Niche, Life
$10M - $500M
Stock, Mutual, Privately Held, Non-Profit
Spread across US
Salient Proprietary | www.salientcommercial.com
18
What did we do?
• A brief, focused assessment to quickly:
• Illustrate immediate risks
• Provide a high-level view of security
posture
Meant to illustrate what an attacker’s first
steps would be when pursuing access to a
target network
Aimed to identify vulnerabilities in network
perimeter, and to provide feedback
outlining potential attack vectors
Salient Proprietary | www.salientcommercial.com
19
What did we do?
• Step 1 – Open source research of a target and its
Internet presence
• Step 2 – Two discrete tasks to test for vulnerabilities:
• Active Scanning – simulating a real attacker by
scanning the target to identify remotely accessible
services and associated vulnerabilities
• Spear Phishing – sending targeted “phishing”
emails to users to illustrate possibility of perimeter
bypass
Salient Proprietary | www.salientcommercial.com
20
Active Scanning
• What?
• Performed remote scans from external infrastructure
• Leveraged publicly available tools
• Probed Internet facing presence
• Assessed common ports and protocols
• Focused on vulnerability discovery rather than
exploitation of target network
Salient Proprietary | www.salientcommercial.com
21
Active Scanning
• Why?
• Public-facing servers and services they provide are
the front doors to an organization's network
• Default configurations, along with poor security
settings, leak information that can be extremely
useful to an attacker
• With knowledge about types of systems and
software, research can be done to find or develop
exploits tailored to gain access to sensitive and
proprietary information and systems
Salient Proprietary | www.salientcommercial.com
22
Active Scanning
• Why?
• Once an initial foothold is gained, an attacker has a
platform from which he/she can explore more areas that
are supposed to be quarantined from the public Internet
Salient Proprietary | www.salientcommercial.com
23
What were the results?
100% of companies had
vulnerabilities
9 out of 10 had MINOR vulnerabilities
10 out of 10 had MODERATE vulnerabilities
8 out of 10 had CRITICAL vulnerabilities
Salient Proprietary | www.salientcommercial.com
24
What were the results?
256 Total Vulnerabilities
17%
24%
Minor
Moderate
Critical
59%
Salient Proprietary | www.salientcommercial.com
25
What were the results?
Common Scanning Vulnerabilities by Category
Information Disclosure
SSL Vulnerabilities
Man-in-the-middle
Cross Site Scripting
Overflow
VPN Vulnerabilities
Denial of Service
0%
20%
40%
60%
80%
100%
Salient Proprietary | www.salientcommercial.com
26
Prominent Overarching Theme
70% of the most common scanning
errors could have been avoided by
applying available updates and
patches
An unpatched vulnerability in
Windows was taken
advantage of by 3rd party
The root cause was the lack of
security updates that allowed
stolen user credentials
Salient Proprietary | www.salientcommercial.com
27
Spear Phishing
• What?
• Performed targeted “phishing” of client users
• Regular phishing scams / emails cast a large net, attempting to lure
many users into performing certain actions
• Spear phishing is much more focused, targeting specific users with
relevant content (far more effective and believable)
Salient Proprietary | www.salientcommercial.com
28
Spear Phishing
• What?
• Mimicked client website and internal email user
[email protected] vs.
[email protected]
https://vpn.smithcompany.com vs.
https://vpn.srnithcompany.com
• Used valid SSL certificates, which prevented browsers
from warning users about an “untrusted connection”
Salient Proprietary | www.salientcommercial.com
29
Spear Phishing
• What?
• Requested users visit our spoofed site and enter their
credentials to verify access
• If user clicked our link, our server recorded the IP
address and browser user agent string for every
connection received
• If user submitted the login form:
• Server securely logged his or her credentials
• Redirected connection to the authentic site, if it existed (if not, user was
presented with a “login failed” message)
• From there, the user could log in normally
Salient Proprietary | www.salientcommercial.com
30
Spear Phishing Sample
Salient Proprietary | www.salientcommercial.com
31
Spear Phishing
• Why?
• Illustrates a common security bypass/perimeter
breach technique
• Even if a client’s perimeter is secure (i.e., not
remotely exploitable), “client side exploits” pose a
real threat
Hackers got into eBay after obtaining login
credentials from employees allowing them to
access the corporate network.
Salient Proprietary | www.salientcommercial.com
32
Spear Phishing
• Why?
• If an internal user can be lured to initiate an outbound
connection, a remote attacker can potentially have a
vector to deliver malicious code to the target user on the
inside of the network
• This vector wouldn’t exist if the client user didn’t initiate a connection to
the attacker’s server
• This enables the possibility for the attacker to exploit a client application
(e.g., the web browser making the connection)
• That is, a “client side attack or exploit”
Salient Proprietary | www.salientcommercial.com
33
Spear Phishing
Why?
If a remote VPN is present, captured credentials can
give an attacker immediate, authenticated access to
a network
If not present, credentials
can still be used to access
internal legitimate
corporate email
Theft of IP and PII
May enable further attacks
Salient Proprietary | www.salientcommercial.com
34
What were the results?
8 of the 10 companies fell prey to our
spear phishing email
Average of 52% of users clicked on fake link
Average of 42% gave us their credentials
Salient Proprietary | www.salientcommercial.com
35
What were the results?
• Clicking on email link using old browsers allow
exploitation of browser into internal network
(CRITICAL)
• Clicking on email link using current or unknown
browsers allows information leakage (MINOR)
• Entering credentials where remote SSL VPN exists
gives immediate access to internal systems
(CRITICAL)
• Entering credentials where no remote SSL VPN
exists gives access to email server (MODERATE)
• Recommendation: User education
Salient Proprietary | www.salientcommercial.com
36
What did we learn?
• We must be proactive as
well as reactive
• Risk management
• Mitigation strategy
• Incident response
• Cyber security is never
once and done
• Everyone is a target –
either directed or
opportunistic
Salient Proprietary | www.salientcommercial.com
37
Top Technical Tips
Comply with the SANS Top 20 Critical Security
Controls including these quick hits
Close all unneeded ports
("default deny" mindset)
Regularly patch all
systems (including
devices, servers, and
workstations)
Create and enforce
complex password
requirements
Salient Proprietary | www.salientcommercial.com
38
Top Technical Tips
• Move to 2-factor authentication for remote access to your
networks
• Use S/MIME for digital signatures (to protect against e-mail
spoofing)
• Invest in monitoring and prevention capabilities within your
enterprise
• Subscribe to data sharing service (threat intelligence)
• Be aware of increased attack surface (protect your periphery)
• BYOD
• Unsecured public wi-fi
• Partners/providers
Salient Proprietary | www.salientcommercial.com
39
Top Business Tips
• Adopt a corporate process to properly manage
your cyber risk as part of overall risk management
portfolio
• Include in enterprise risk management (reporting to leadership team
and board of directors)
• Technical prevention alone is never enough
• Policies/tools to reduce impact of breaches
• Incident response (table top exercises, crisis management team)
Salient Proprietary | www.salientcommercial.com
40
Top Business Tips
• Develop a culture of security awareness (including user
training)
• Human behavior resists
efforts to control
• Social Engineering – spear
phishing, watering holes
• The best security prevention
is crowdsourcing – i.e.
responsibility of all
employees
Salient Proprietary | www.salientcommercial.com
41
Top Business Tips
• Inventory and classify all information assets (to
inform your risk calculus)
• Seek compliance against relevant government
and industry standards for your market
• Partner with legal, compliance and internal audit
• NAIC Principles
• Conduct an annual independent 3rd party testing
to benchmark your program and determine gaps
Salient Proprietary | www.salientcommercial.com
42
Contact Information and Q&A
Thank you for your attention during today’s presentation. For more
information, please contact:
Brian Denny
Security Audit Lead
[email protected]
www.SalientCommercial.com
And now, to our Q&A portion of today’s event.
Salient Proprietary | www.salientcommercial.com
43