Thanks for attending this session on April 6 th, 2016 If you have any question, please contact Jim at

Transcription

1 Thanks! Thanks for attending this session on April 6 th, 2016 If you have any question, please contact Jim at jim@stickleyonsecurity.com Don t forget to checkout Stickley on Security and learn about our employee and member education products. Get BadPhsih Phishing Simulator for $1 per employee. Seriously. Unlimited testing for an entire year!

2 Fraud The new F word Presented by Jim Stickley

3 Fraud Cybercrime is a growth industry. The returns are great, and the risks are low McAfee June 2014

4 Fraud How are criminals having so much success? is at the root of all major breaches

5 Why ? Attacking a network via the Internet is hard Employees have access to everything If I can gain access to an employees desktop or credentials, breaking in becomes much easier

6 Phishing success on the rise Previous years, overall effectiveness of phishing campaigns was between 10% and 20%* 2015 study showed that of 150,000 malicious s sent, 50% of users opened the and clicked on the phishing link within the first hour* The first click on average happened within 1 minute 22 seconds* *Verizon 2015 Data Breach Investigations Report

7 How easy is it really?

8 Starting the attack Objective: Gain access to financial institution employee desktop

9 Target: Employee desktop Need names of tellers Many options available Phone is an option Google search can help There is a better way

10 credit union customer service

11

12 Targeting personnel I know the tellers at the financial institution Now need their address

13 Targeting personnel Finding the of teller Gmail is great for testing s Send numerous variations

14

15 Targeting personnel Whatever doesn t bounce back is real Send numerous variations bills@acmefakecu.com billsmith@acmefakecu.com bill.smith@acmefakecu.com b.smith@acmefakecu.com

16 ecard scams Starting the attack Send from Hallmark

17 Online viewer exploits

18

19 Online viewer exploits

20

21 Online viewer exploits We got one System connected on device 7 Have fun.

22 Online viewer exploits Microsoft Windows [Version ] (C) Copyright 2009 Microsoft Corp. C:\Documents and Settings\Administrator> Active Connections netstat -na Proto Local Address Foreign Address State TCP : :0 LISTENING TCP : :0 LISTENING TCP : :0 LISTENING TCP : :0 LISTENING TCP : :0 LISTENING TCP : :0 LISTENING TCP : :0 LISTENING

23 Online viewer exploits What is at risk? Complete compromise of computer Launch point for other attacks Can call home at scheduled times

24 Online viewer exploits You don t need to download anything to be infected Adobe Flash player prime target

25 Online viewer exploits You don t need to download anything to be infected Adobe Flash player prime target

26

27 Online viewer exploits What about patches?

28

29 Have a web cam? This can be used to watch what you are doing without your knowledge

30 What can you do? Never trust an Employee education Limited network access

31 Targeting employees

32 Starting the attack Objective: Use social engineering and malware to gain access to desktop

33 Targeting personnel I already know the employees at the organization Used LinkedIn I already know their address Used bounce technique To complete this attack I also need to know the IT security manager Get that through LinkedIn or simply call the organization and ask

34 Targeting personnel We are ready to start the attack Start with social engineering

35

36 The security update Employee calls the 800 number Operator conducts validation process

37 The security update Ask user to go to GoToMeeting.com Once there give them meeting code to connect GoToMeeting allows a free trial of their account This allows criminals to use the solution without using real information

38 The security update Now we assist them with their update Video

39

40 What does this mean? Kathy thinks everything is ok and her computer is secure Reality: Complete compromise of her desktop Bypassed security on the desktop / network Launch point for more attacks including core processor Warm handoff to other employee

41 What can you do? Never trust an Never allow remote control of your desktop Never install software or allow others to install software on your desktop without approval

42 What can you do? Never pass calls to co-workers Never assume a call passed from a co-worker is trusted. When in doubt, pick up the phone and ask someone in your IT department

43 Targeting employees?

44 Attacking the admins Why target an admin? IT Managers & System Administrators have all the access When compromised, criminals now have all the access Easy to find IT admins

45 Attacking the admins Use their vendor relationships against them Most organizations work with many vendors Often these relationships are public

46 credit union chooses

47

48

49

50

51 Attacking the admins What we know We have the name of the admin We have the address We know their financial institution works with Fiserv What else do we need? Name of employee at Fiserv

52 Fiserv customer services

53 Fiserv customer services

54 Putting it all together We found an IT Admin via LinkedIn Bill Smith We know our plan of attack attachment We know a banking solution they use Fiserv We know who the will come from Katrin Rollins

55 Attacking the admins Lets start the attack

56 Attack the admins This will be the Vice President, Professional Services & Customer Support

57 Attack the admins This will be the

58 Attacking the admins Yep, it s on! New remote connection confirmed. Device: 3 Have a great day. :)

59 Attacking the admins Microsoft Windows [Version ] (C) Copyright 2009 Microsoft Corp. C:\Documents and Settings\Administrator> Active Connections netstat -na Proto Local Address Foreign Address State TCP : :0 LISTENING TCP : :0 LISTENING TCP : :0 LISTENING TCP : :0 LISTENING TCP : :0 LISTENING TCP : :0 LISTENING TCP : :0 LISTENING

60 Attacking the admins What happened?

61

62 Attacking the admins When document opened, malware automatically installed Anything could be run and or installed on the PC In our malware we made basic program to start remote communication

63 Using Admin Access

64 Administrators have access High risk servers: Core processor Web servers Document management servers Database servers ATM s Patch Management Routers, firewalls, switches

65 Now that we are on Once on the network, what to do first? Install root-kit which includes Keyboard logging Audio monitor Camera monitor Screen scrape software Web traffic monitor

66 Systematic attacks Use access from compromised employee to gain access to other servers If employee has access to upgrade ATM s then we could upgrade ATM s as well Real case where ATM s would receive updates provided by admin employee

67 Systematic attacks Started with attack Gained access to admins desktop Used desktop to gain access to secured ATM network segment Once on network segment was limited to single server Used that server as a delivery mechanism to install malware on the ATM servers Once malware on ATM, just waited for cash to be delivered

68 What does this mean? What could it do?

69 What does this mean? What could it do?

70 What does this mean? How could this be used to our advantage? We don t have access to connect to ATM servers We cant exploit any known vulnerabilities What if we make our own upgrade installer?

71 What does this mean? What could it do?

72 What does this mean? What could it do?

73 What does this mean? What could it do?

74 What does this mean? What should the malicious code do? Avoid trying to modify existing software Install code that accesses the cash dispenser Tell the ATM to dispense cash at a specified time

75 What does this mean? Can this really be done? Video

76

77 What can be done? Employee awareness & education Install security patches Be cautious of ALL attachments Even non-executable Be cautious of all websites Flash is not your friend Limit and monitor outbound data connections

78 Breach Preparedness

79 Prepare for the breach It s better to be prepared and never need it

80 Best place to start Create an incident response team layout Each breach is different so determining ahead of time the exact people to be on a team is not realistic The basic framework may include personnel from the following areas Legal (Often team lead) CSO IT Department Law Enforcement Member care Vendors Forensics PR Breach remediation

81 The breach lifecycle When an organization experiences a breach, there is a typical lifecycle that will take place Part of the preparedness plan is to understand the complete lifecycle

82 The breach lifecycle Discover the breach This is obviously the most important step in the lifecycle The longer the breach goes undetected the more damage that can occur Deploy internal response team

83 The breach lifecycle Begin initial investigation There are reasons beyond criminal activity for a data breach It is important to begin the initial investigation to eliminate non-criminal activity Also determining the type of data lost is important

84 The breach lifecycle Contact law enforcement Employ vendors Employ vendors Forensics Breach resolution PR Legal council

85 The breach lifecycle Initiate notification process Compromised members need to receive a notification regarding the breach Breach notification laws exist in almost every state in the US plus the District of Columbia, the Virgin Islands and Puerto Rico Work with PR company and legal to ensure proper messaging Members main concern is what is at risk and how are you protecting them

86 The breach lifecycle Make public announcement This should take place at almost the exact same time as member notifications Work with PR company and legal to ensure proper messaging In most cases comprehensive details are not necessary

87 The breach lifecycle Be prepared for questions Customers will have questions Make sure all employees are well versed and prepared on what they can and can t say In many cases outsourcing the inquiries will be your best bet

88 Breach conclusion Every financial institution requires a breach preparedness (Incident Response) plan The board should review and approve the plan Documenting services and vendors that will be required in the plan can reduce stress, costs and time in the event of a breach

89 One for the road

90 One for the road Hacking is not the only threat to organizations

91 Bypassing the initial hack How do you gain complete control of an organizations internal network? The Cleaning Crew

92 After hours concerns Why go after the cleaning crew? Cleaning crews have complete access to the facility Employees often are recognized by cleaning crew No one ever knows you were there Video

93 93

94 After hours concerns Other ways to get in An ID card is as good as a key

95 After hours concerns What can you do to protect your organization? Strict policies for cleaning crew Do not allow anyone in after hours without a key Even if you know the person, they are not allowed in When they exit to take out trash, do not prop open doors Contact list available for cleaning crew Easy to access list of contacts in case of problems / questions Test cleaning crew Send real employees from time to time after hours and see if they can gain access

96 After hours concerns What happens when cleaning crews follow proper procedures?

97 After Hours Concerns

98 In The End

99 In the end You can t prevent every security risk Education and awareness are an important defense against cyber attacks Remember that you can spend hundreds of thousands on security products and it just takes one human mistake to bypass it all

100 Employee & Member Education & Awareness Solutions