Thanks! Thanks for attending this session on April 6 th, 2016 If you have any question, please contact Jim at jim@stickleyonsecurity.com Don t forget to checkout Stickley on Security and learn about our employee and member education products. Get BadPhsih Phishing Simulator for $1 per employee. Seriously. Unlimited testing for an entire year! www.stickleyonsecurity.com 619-713-0803
Fraud The new F word Presented by Jim Stickley
Fraud Cybercrime is a growth industry. The returns are great, and the risks are low McAfee June 2014
Fraud How are criminals having so much success? Email is at the root of all major breaches
Why email? Attacking a network via the Internet is hard Employees have access to everything If I can gain access to an employees desktop or credentials, breaking in becomes much easier
Phishing success on the rise Previous years, overall effectiveness of phishing campaigns was between 10% and 20%* 2015 study showed that of 150,000 malicious emails sent, 50% of users opened the email and clicked on the phishing link within the first hour* The first click on average happened within 1 minute 22 seconds* *Verizon 2015 Data Breach Investigations Report http://www.verizonenterprise.com/dbir/2015/
How easy is it really?
Starting the attack Objective: Gain access to financial institution employee desktop
Target: Employee desktop Need names of tellers Many options available Phone is an option Google search can help There is a better way
credit union customer service
Targeting personnel I know the tellers at the financial institution Now need their email address
Targeting personnel Finding the email of teller Gmail is great for testing emails Send numerous variations bills@acmefakecu.com billsmith@acmefakecu.com bill.smith@acmefakecu.com b.smith@acmefakecu.com
Targeting personnel Whatever doesn t bounce back is real Send numerous variations bills@acmefakecu.com billsmith@acmefakecu.com bill.smith@acmefakecu.com b.smith@acmefakecu.com
ecard scams Starting the attack Send email from Hallmark
Online viewer exploits
http://www.hallmark-e-card.com/ecard-link/id=1178jaj8s87hjffkjk1212
Online viewer exploits
http://www.hallmark-e-card.com/ecard-link/id=1178jaj8s87hjffkjk1212
Online viewer exploits We got one System connected on device 7 Have fun.
Online viewer exploits Microsoft Windows [Version 6.1.7601] (C) Copyright 2009 Microsoft Corp. C:\Documents and Settings\Administrator> Active Connections netstat -na Proto Local Address Foreign Address State TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:443 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:554 0.0.0.0:0 LISTENING TCP 0.0.0.0:902 0.0.0.0:0 LISTENING TCP 0.0.0.0:912 0.0.0.0:0 LISTENING TCP 0.0.0.0:2869 0.0.0.0:0 LISTENING
Online viewer exploits What is at risk? Complete compromise of computer Launch point for other attacks Can call home at scheduled times
Online viewer exploits You don t need to download anything to be infected Adobe Flash player prime target
Online viewer exploits You don t need to download anything to be infected Adobe Flash player prime target
Online viewer exploits What about patches?
Have a web cam? This can be used to watch what you are doing without your knowledge
What can you do? Never trust an email Employee education Limited network access
Targeting employees
Starting the attack Objective: Use social engineering and malware to gain access to desktop
Targeting personnel I already know the employees at the organization Used LinkedIn I already know their email address Used email bounce technique To complete this attack I also need to know the IT security manager Get that through LinkedIn or simply call the organization and ask
Targeting personnel We are ready to start the attack Start with social engineering
The security update Employee calls the 800 number Operator conducts validation process
The security update Ask user to go to GoToMeeting.com Once there give them meeting code to connect GoToMeeting allows a free trial of their account This allows criminals to use the solution without using real information
The security update Now we assist them with their update Video
What does this mean? Kathy thinks everything is ok and her computer is secure Reality: Complete compromise of her desktop Bypassed security on the desktop / network Launch point for more attacks including core processor Warm handoff to other employee
What can you do? Never trust an email Never allow remote control of your desktop Never install software or allow others to install software on your desktop without approval
What can you do? Never pass calls to co-workers Never assume a call passed from a co-worker is trusted. When in doubt, pick up the phone and ask someone in your IT department
Targeting employees?
Attacking the admins Why target an admin? IT Managers & System Administrators have all the access When compromised, criminals now have all the access Easy to find IT admins
Attacking the admins Use their vendor relationships against them Most organizations work with many vendors Often these relationships are public
credit union chooses
Attacking the admins What we know We have the name of the admin We have the email address We know their financial institution works with Fiserv What else do we need? Name of employee at Fiserv
Fiserv customer services
Fiserv customer services
Putting it all together We found an IT Admin via LinkedIn Bill Smith We know our plan of attack Email attachment We know a banking solution they use Fiserv We know who the email will come from Katrin Rollins
Attacking the admins Lets start the attack
Attack the admins This will be the email Vice President, Professional Services & Customer Support
Attack the admins This will be the email
Attacking the admins Yep, it s on! New remote connection confirmed. Device: 3 Have a great day. :)
Attacking the admins Microsoft Windows [Version 6.1.7601] (C) Copyright 2009 Microsoft Corp. C:\Documents and Settings\Administrator> Active Connections netstat -na Proto Local Address Foreign Address State TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:443 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:554 0.0.0.0:0 LISTENING TCP 0.0.0.0:902 0.0.0.0:0 LISTENING TCP 0.0.0.0:912 0.0.0.0:0 LISTENING TCP 0.0.0.0:2869 0.0.0.0:0 LISTENING
Attacking the admins What happened?
Attacking the admins When document opened, malware automatically installed Anything could be run and or installed on the PC In our malware we made basic program to start remote communication
Using Admin Access
Administrators have access High risk servers: Core processor Web servers Document management servers Database servers ATM s Patch Management Routers, firewalls, switches
Now that we are on Once on the network, what to do first? Install root-kit which includes Keyboard logging Audio monitor Camera monitor Screen scrape software Web traffic monitor
Systematic attacks Use access from compromised employee to gain access to other servers If employee has access to upgrade ATM s then we could upgrade ATM s as well Real case where ATM s would receive updates provided by admin employee
Systematic attacks Started with email attack Gained access to admins desktop Used desktop to gain access to secured ATM network segment Once on network segment was limited to single server Used that server as a delivery mechanism to install malware on the ATM servers Once malware on ATM, just waited for cash to be delivered
What does this mean? What could it do?
What does this mean? What could it do?
What does this mean? How could this be used to our advantage? We don t have access to connect to ATM servers We cant exploit any known vulnerabilities What if we make our own upgrade installer?
What does this mean? What could it do?
What does this mean? What could it do?
What does this mean? What could it do?
What does this mean? What should the malicious code do? Avoid trying to modify existing software Install code that accesses the cash dispenser Tell the ATM to dispense cash at a specified time
What does this mean? Can this really be done? Video
What can be done? Employee awareness & education Install security patches Be cautious of ALL attachments Even non-executable Be cautious of all websites Flash is not your friend Limit and monitor outbound data connections
Breach Preparedness
Prepare for the breach It s better to be prepared and never need it
Best place to start Create an incident response team layout Each breach is different so determining ahead of time the exact people to be on a team is not realistic The basic framework may include personnel from the following areas Legal (Often team lead) CSO IT Department Law Enforcement Member care Vendors Forensics PR Breach remediation
The breach lifecycle When an organization experiences a breach, there is a typical lifecycle that will take place Part of the preparedness plan is to understand the complete lifecycle
The breach lifecycle Discover the breach This is obviously the most important step in the lifecycle The longer the breach goes undetected the more damage that can occur Deploy internal response team
The breach lifecycle Begin initial investigation There are reasons beyond criminal activity for a data breach It is important to begin the initial investigation to eliminate non-criminal activity Also determining the type of data lost is important
The breach lifecycle Contact law enforcement Employ vendors Employ vendors Forensics Breach resolution PR Legal council
The breach lifecycle Initiate notification process Compromised members need to receive a notification regarding the breach Breach notification laws exist in almost every state in the US plus the District of Columbia, the Virgin Islands and Puerto Rico Work with PR company and legal to ensure proper messaging Members main concern is what is at risk and how are you protecting them
The breach lifecycle Make public announcement This should take place at almost the exact same time as member notifications Work with PR company and legal to ensure proper messaging In most cases comprehensive details are not necessary
The breach lifecycle Be prepared for questions Customers will have questions Make sure all employees are well versed and prepared on what they can and can t say In many cases outsourcing the inquiries will be your best bet
Breach conclusion Every financial institution requires a breach preparedness (Incident Response) plan The board should review and approve the plan Documenting services and vendors that will be required in the plan can reduce stress, costs and time in the event of a breach
One for the road
One for the road Hacking is not the only threat to organizations
Bypassing the initial hack How do you gain complete control of an organizations internal network? The Cleaning Crew
After hours concerns Why go after the cleaning crew? Cleaning crews have complete access to the facility Employees often are recognized by cleaning crew No one ever knows you were there Video
93
After hours concerns Other ways to get in An ID card is as good as a key
After hours concerns What can you do to protect your organization? Strict policies for cleaning crew Do not allow anyone in after hours without a key Even if you know the person, they are not allowed in When they exit to take out trash, do not prop open doors Contact list available for cleaning crew Easy to access list of contacts in case of problems / questions Test cleaning crew Send real employees from time to time after hours and see if they can gain access
After hours concerns What happens when cleaning crews follow proper procedures?
After Hours Concerns
In The End
In the end You can t prevent every security risk Education and awareness are an important defense against cyber attacks Remember that you can spend hundreds of thousands on security products and it just takes one human mistake to bypass it all
Employee & Member Education & Awareness Solutions