Social Engineering and Phishing - SeNet International Corporation

advertisement
Social Engineering and Phishing
(Fish are not the only things that need to be concerned.)
August 24, 2011
Introduction
SeNet
During the course of this presentation, I will illustrate methods that
attackers and others with malicious intent have used to compromise
Personally Identifiable Information (PII) and other sensitive data. I
will also examine several case studies that show how PII was
compromised and how the breach could have been prevented.
Finally, I will offer several defense and protection mechanisms.
I am SeNet’s Chief Technology Officer (CTO). Previously, I worked
for the security consulting practices of both KPMG and Deloitte and
Touche. I have led and performed numerous vulnerability
assessments and penetration tests in support of financial audits,
FISMA audits, and other compliance-related efforts.
I can be reached at 703-206-9383 or gus.fritschie@senet-int.com.
© 2011 SeNet International Corp.
2
August 2011
About SeNet
SeNet
SeNet International is a small business founded in 1998 to deliver network and
information security consulting services to government and commercial clients.
•
High-End Consulting Services Focus





•
Proven Solution Delivery Methodology


•
Contract Execution Framework for Consistency and Quality
Technical, Management, and Quality Assurance Components
Exceptional Qualifications



•
Government Certification and Accreditation Support
Network Integration
Security Compliance Verification and Validation
Security Program Development with Business Case Justifications
Complex Security Designs and Optimized Deployments
Executive Team – Security Industry Reputation and Active Project Leadership
Expertise with Leading Security Product Vendors, Technologies, and Best Practices
Advanced Degrees, Proper Clearances, Standards Organization Memberships, and
IT Certifications
Corporate Resources



Located in Fairfax, Virginia
Fully Equipped Security Lab
Over 40 Full-time Security Professionals
© 2011 SeNet International Corp.
3
August 2011
The PII Challenge
SeNet
Definition
Personally Identifiable Information (PII) is information that can be used
to uniquely identify, contact, or locate a single person or can be used
with other sources to uniquely identify a single individual.
Challenges of PII
• Pervasive – traditional and new, non-traditional end points
• Highly sensitive and highly coveted
• Difficult to do away with
© 2011 SeNet International Corp.
4
August 2011
PII Examples
SeNet
Examples of PII Include:
•
•
•
•
•
•
•
•
•
•
•
Full name (if not common)
National identification number
IP address (in some cases)
Vehicle registration/plate number
Driver's license number
Face, fingerprints, or handwriting
Credit card numbers
Digital identity
Birthday
Birthplace
Genetic information
© 2011 SeNet International Corp.
5
August 2011
PII Leakage Paths
SeNet
PII can “leak out” intentionally and unintentionally in many
ways, such as:
•
•
•
•
•
•
•
•
•
E-mail attachments
Printouts and faxes
Lost tapes, zip drives, and other storage media
Lost or stolen laptops
Social networking
Instant messaging programs
File sharing programs
Unsecure Web sites
Active attacks by bad actors
© 2011 SeNet International Corp.
6
August 2011
Data Leakage Paths
SeNet
© 2011 SeNet International Corp.
7
August 2011
PII Attack Vectors
SeNet
• Phishing (no, it’s not a typo)
• Social Engineering
• Cross-site Scripting (XSS)
• SQL Injection
• Malware
• Many others
© 2011 SeNet International Corp.
8
August 2011
SeNet
Phishing Attacks and Social
Engineering
While there are several different attack vectors that could be used to
gain unauthorized access to PII, two of the most common are old
fashion social engineering and phishing attacks.
© 2011 SeNet International Corp.
9
August 2011
SeNet
What is Social Engineering?
Social engineering is the process of deceiving people into giving away
access or confidential information.
Wikipedia defines it as “the act of manipulating people into
performing actions or divulging confidential information. While similar
to a confidence trick or simple fraud, the term typically applies to
trickery or deception for the purpose of information gathering, fraud,
or computer system access; in most cases the attacker never comes
face-to-face with the victim.”
Many consider social engineering to be the greatest risk to security.
© 2011 SeNet International Corp.
10
August 2011
SeNet
Categories of Social Engineers
• Hackers
• Spies or Espionage
• Identify Thieves
• Disgruntled Employees
• Scam Artists
• Sales
• Governments
© 2011 SeNet International Corp.
11
August 2011
SeNet
Why Social Engineering?
"Because there is no patch for human stupidity“
"People are the largest vulnerability in any network"
Path of Least Resistance
A hacker can spend hours, weeks, or months trying to brute force
his or her way to a password... when a phone call with the right
pretext and perfect questions can identify the same password or
more in a few minutes.
© 2011 SeNet International Corp.
12
August 2011
What is Pretexting?
SeNet
• Pretexting is the act of creating an invented scenario to persuade a
targeted victim to release information or perform some action. It is
more than just creating a lie; in some cases, it can be creating a
whole new identity and then using that identity to manipulate the
receipt of information. Pretexting can also be used to impersonate
people in certain jobs and roles that they have never performed
themselves.
• Pretexting is also not a “one size fits all” solution. A social engineer
will have to develop many different pretexts over his or her career.
All of them will have one thing in common: research. Good
information gathering techniques can make or break a good
pretext. Being able to mimic the perfect technical support
representative is useless if your target does not use outside
support.
• One of the most important aspects of social engineering is trust.
© 2011 SeNet International Corp.
13
August 2011
SeNet
Common SE Attack Vectors
In the world of social engineering, there are numerous attack vectors.
Some involve a lot of technology; others contain none at all.
• Customer Service
• Tech Support
• Marketing
• Phone
• Delivery Person
© 2011 SeNet International Corp.
14
August 2011
SeNet
Phishing vs. Spear Phishing
Phishing – E-mails that typically contain a link to a counterfeit Web
site and are designed to look like an authentic login page. They will
actually capture personal data for cyber criminals, who will use the
data to commit financial fraud.
Spear Phishing – Targets are identified in advance and the e-mails
that attempt to trick them into handing over personal data can be
highly specific. They might claim to come from a friend or colleague,
or seek to exploit the target’s known interests.
© 2011 SeNet International Corp.
15
August 2011
Social Engineering Tools
SeNet
• SET – Social Engineering Toolkit
(http://www.social-engineer.org/framework/Computer_Based_
Social_Engineering_Tools:_Social_Engineer_Toolkit_(SET))
• BeEF – Browser Exploitation Framework
(http://www.bindshell.net/tools/beef.html)
• Metasploit – http://www.metasploit.com/
© 2011 SeNet International Corp.
16
August 2011
Demo
SeNet
Demo Time
© 2011 SeNet International Corp.
17
August 2011
APT and PII
SeNet
APT is not about smashing and grabbing; rather, it is about
methodically reaching your objectives, establishing a beachhead
within the organization, and exploiting as much of the organization
as possible for as long as possible without being detected.
© 2011 SeNet International Corp.
18
August 2011
APT and PII (cont’d)
SeNet
APT is:
• Advanced – Assumes everything from mundane attack attempts to
sophisticated custom crafting of exploits.
• Persistent – Focused on an objective, so this is not just a “drive-by”
or “smash-and-grab.” The threat will not go away or move out
of legal reach. “Persistent” means trying to maximize exploitation
of information over a period of time, sometimes a long period of
time.
• Threat – Targeting your organization for a specific reason. This
takes advantage of human ability and creativity, and is not a bot
or worm, although those tools may be employed.
© 2011 SeNet International Corp.
19
August 2011
Case Study 1
SeNet
Operation Aurora
• Began in mid-2009 and continued
through December 2009. Involved
several other companies in
addition to Google.
• Google stated that some of its
intellectual property had been
stolen.
• Attackers were interested in
accessing Gmail accounts of
Chinese dissidents.
• Attackers had exploited purported
zero-day vulnerabilities in Internet
Explorer.
© 2011 SeNet International Corp.
20
August 2011
Case Study 1 (cont’d)
SeNet
• Additional vulnerabilities were found in Perforce, the source
code revision software used by Google to manage their source
code.
• Once a victim's system was compromised, a back-door
connection that masqueraded as an SSL connection made
connections to command and control servers.
• The victim's machine then began exploring the protected
corporate intranet of which it was a part, searching for other
vulnerable systems as well as sources of intellectual property,
specifically the contents of source code repositories.
© 2011 SeNet International Corp.
21
August 2011
Case Study 2
SeNet
This case study explores an
example where data (including
PII) in an Oracle database is
compromised.
Initially, a scan is conducted to
identify Oracle databases.
© 2011 SeNet International Corp.
22
August 2011
Case Study 2 (cont’d)
SeNet
Weak passwords are not just a problem with Microsoft. This tool can
be used to determine whether default Oracle passwords exist.
© 2011 SeNet International Corp.
23
August 2011
Case Study 2 (cont’d)
SeNet
With the correct credentials
obtained, a tool such as
DB-Examiner can be used
to obtain a graphical view
of the database structure.
© 2011 SeNet International Corp.
24
August 2011
Case Study 2 (cont’d)
SeNet
Of course, data is the crown
jewel that many attackers
are after. In this example,
using the compromised
account and information
about the data structure, a
query is executed to view
personal data including
name, social security
number, and salary.
© 2011 SeNet International Corp.
25
August 2011
Methods to Protect PII
SeNet
• Encryption
• Multi-factor Authentication
• Strong Access Controls
• Security Awareness Training
• End-point Security
• Data Leakage Prevention
© 2011 SeNet International Corp.
26
August 2011
SeNet
Social Engineering Protections
• Education/training
• Be aware of the information you are releasing.
• Determine which of your assets are most valuable to criminals.
• Keep your software up to date.
• When asked for information, consider whether the person you are
talking to deserves the information they are asking about.
• Report suspicious activity.
• Be skeptical.
• Never respond using information contained in the e-mail,
particularly links to Web sites.
© 2011 SeNet International Corp.
27
August 2011
Conclusions
SeNet
As can be seen throughout this presentation, there are many different
attack vectors that can be used to gain access to your PII or other
sensitive information. Often, attackers choose the easiest target,
which is why social engineering and phishing are being used more
frequently.
While no method can guarantee 100% protection against these types
of attacks, by understanding how these attacks work, you can better
defend yourself against them.
© 2011 SeNet International Corp.
28
August 2011
Questions
SeNet
Questions?
© 2011 SeNet International Corp.
29
August 2011
Download