Cyber Security Presentation - FSI-INC
advertisement
Hack-a-thon Results and Cyber Risk The Evolving Landscape Brian Denny, Security Audit Lead December 3, 2015 Salient Proprietary | www.salientcommercial.com 1 Agenda • • • • • Burning question Our “Hack-a-thon” experience What we learned Technical tips for resolution Business tips for resolution Salient Proprietary | www.salientcommercial.com 2 Our Burning Question… Why isn’t our industry – especially small to midsized carriers – more proactive when it comes to cyber security? Salient Proprietary | www.salientcommercial.com 3 Our Burning Question… May 2014 233 million credentials and PII Salient Proprietary | www.salientcommercial.com 4 Our Burning Question… June 2014 2.6 million debit/credit cards Salient Proprietary | www.salientcommercial.com 5 Our Burning Question… June 2014 4.5 million SSN and personal data Salient Proprietary | www.salientcommercial.com 6 Our Burning Question… August 2014 76 million consumers, 7 million small businesses Salient Proprietary | www.salientcommercial.com 7 Our Burning Question… September 2014 56 million debit/credit cards Salient Proprietary | www.salientcommercial.com 8 Our Burning Question… October 2014 1.2 million credit cards Salient Proprietary | www.salientcommercial.com 9 Our Burning Question… November 2014 Emails and personnel data Salient Proprietary | www.salientcommercial.com 10 Our Burning Question… February 2015 80 million customers’ PII Salient Proprietary | www.salientcommercial.com 11 Our Burning Question… March 2015 11 million financial and medical records Salient Proprietary | www.salientcommercial.com 12 Our Burning Question… XX 22.1 4.2 XX million OPM security files Employees Applicants Family/Friends References PII Mental health info Drug/alcohol use 1.1M fingerprints Salient Proprietary | www.salientcommercial.com 13 Our Burning Question… Over 70% of companies do not disclose breaches It’s no longer a question of IF but WHEN you will have a cyber incident Salient Proprietary | www.salientcommercial.com 14 Most Common Responses • • • • • Higher priorities (both business and IT) Budget and resource constraints How do I begin? Where do I start? Hackers wouldn’t be interested in our company We took care of that last year • Ongoing • Evolving • Persistent Salient Proprietary | www.salientcommercial.com 15 Most Common Responses • IT handles that Cyber security is NOT an IT issue! Protecting the company and its data is a business risk management responsibility • • • • Fiduciary Liability Public Relations/Reputation Consumer confidence Salient Proprietary | www.salientcommercial.com 16 What can we do? • How can we demonstrate the need for urgency? • What if we convinced 10 insurance companies to let us try to hack into their systems? Salient Proprietary | www.salientcommercial.com 17 Who participated? • Wide range of companies • • • • Personal, Commercial, Workers’ Comp, Niche, Life $10M - $500M Stock, Mutual, Privately Held, Non-Profit Spread across US Salient Proprietary | www.salientcommercial.com 18 What did we do? • A brief, focused assessment to quickly: • Illustrate immediate risks • Provide a high-level view of security posture Meant to illustrate what an attacker’s first steps would be when pursuing access to a target network Aimed to identify vulnerabilities in network perimeter, and to provide feedback outlining potential attack vectors Salient Proprietary | www.salientcommercial.com 19 What did we do? • Step 1 – Open source research of a target and its Internet presence • Step 2 – Two discrete tasks to test for vulnerabilities: • Active Scanning – simulating a real attacker by scanning the target to identify remotely accessible services and associated vulnerabilities • Spear Phishing – sending targeted “phishing” emails to users to illustrate possibility of perimeter bypass Salient Proprietary | www.salientcommercial.com 20 Active Scanning • What? • Performed remote scans from external infrastructure • Leveraged publicly available tools • Probed Internet facing presence • Assessed common ports and protocols • Focused on vulnerability discovery rather than exploitation of target network Salient Proprietary | www.salientcommercial.com 21 Active Scanning • Why? • Public-facing servers and services they provide are the front doors to an organization's network • Default configurations, along with poor security settings, leak information that can be extremely useful to an attacker • With knowledge about types of systems and software, research can be done to find or develop exploits tailored to gain access to sensitive and proprietary information and systems Salient Proprietary | www.salientcommercial.com 22 Active Scanning • Why? • Once an initial foothold is gained, an attacker has a platform from which he/she can explore more areas that are supposed to be quarantined from the public Internet Salient Proprietary | www.salientcommercial.com 23 What were the results? 100% of companies had vulnerabilities 9 out of 10 had MINOR vulnerabilities 10 out of 10 had MODERATE vulnerabilities 8 out of 10 had CRITICAL vulnerabilities Salient Proprietary | www.salientcommercial.com 24 What were the results? 256 Total Vulnerabilities 17% 24% Minor Moderate Critical 59% Salient Proprietary | www.salientcommercial.com 25 What were the results? Common Scanning Vulnerabilities by Category Information Disclosure SSL Vulnerabilities Man-in-the-middle Cross Site Scripting Overflow VPN Vulnerabilities Denial of Service 0% 20% 40% 60% 80% 100% Salient Proprietary | www.salientcommercial.com 26 Prominent Overarching Theme 70% of the most common scanning errors could have been avoided by applying available updates and patches An unpatched vulnerability in Windows was taken advantage of by 3rd party The root cause was the lack of security updates that allowed stolen user credentials Salient Proprietary | www.salientcommercial.com 27 Spear Phishing • What? • Performed targeted “phishing” of client users • Regular phishing scams / emails cast a large net, attempting to lure many users into performing certain actions • Spear phishing is much more focused, targeting specific users with relevant content (far more effective and believable) Salient Proprietary | www.salientcommercial.com 28 Spear Phishing • What? • Mimicked client website and internal email user ValidUser@smithcompany.com vs. ValidUser@srnithcompany.com https://vpn.smithcompany.com vs. https://vpn.srnithcompany.com • Used valid SSL certificates, which prevented browsers from warning users about an “untrusted connection” Salient Proprietary | www.salientcommercial.com 29 Spear Phishing • What? • Requested users visit our spoofed site and enter their credentials to verify access • If user clicked our link, our server recorded the IP address and browser user agent string for every connection received • If user submitted the login form: • Server securely logged his or her credentials • Redirected connection to the authentic site, if it existed (if not, user was presented with a “login failed” message) • From there, the user could log in normally Salient Proprietary | www.salientcommercial.com 30 Spear Phishing Sample Salient Proprietary | www.salientcommercial.com 31 Spear Phishing • Why? • Illustrates a common security bypass/perimeter breach technique • Even if a client’s perimeter is secure (i.e., not remotely exploitable), “client side exploits” pose a real threat Hackers got into eBay after obtaining login credentials from employees allowing them to access the corporate network. Salient Proprietary | www.salientcommercial.com 32 Spear Phishing • Why? • If an internal user can be lured to initiate an outbound connection, a remote attacker can potentially have a vector to deliver malicious code to the target user on the inside of the network • This vector wouldn’t exist if the client user didn’t initiate a connection to the attacker’s server • This enables the possibility for the attacker to exploit a client application (e.g., the web browser making the connection) • That is, a “client side attack or exploit” Salient Proprietary | www.salientcommercial.com 33 Spear Phishing Why? If a remote VPN is present, captured credentials can give an attacker immediate, authenticated access to a network If not present, credentials can still be used to access internal legitimate corporate email Theft of IP and PII May enable further attacks Salient Proprietary | www.salientcommercial.com 34 What were the results? 8 of the 10 companies fell prey to our spear phishing email Average of 52% of users clicked on fake link Average of 42% gave us their credentials Salient Proprietary | www.salientcommercial.com 35 What were the results? • Clicking on email link using old browsers allow exploitation of browser into internal network (CRITICAL) • Clicking on email link using current or unknown browsers allows information leakage (MINOR) • Entering credentials where remote SSL VPN exists gives immediate access to internal systems (CRITICAL) • Entering credentials where no remote SSL VPN exists gives access to email server (MODERATE) • Recommendation: User education Salient Proprietary | www.salientcommercial.com 36 What did we learn? • We must be proactive as well as reactive • Risk management • Mitigation strategy • Incident response • Cyber security is never once and done • Everyone is a target – either directed or opportunistic Salient Proprietary | www.salientcommercial.com 37 Top Technical Tips Comply with the SANS Top 20 Critical Security Controls including these quick hits Close all unneeded ports ("default deny" mindset) Regularly patch all systems (including devices, servers, and workstations) Create and enforce complex password requirements Salient Proprietary | www.salientcommercial.com 38 Top Technical Tips • Move to 2-factor authentication for remote access to your networks • Use S/MIME for digital signatures (to protect against e-mail spoofing) • Invest in monitoring and prevention capabilities within your enterprise • Subscribe to data sharing service (threat intelligence) • Be aware of increased attack surface (protect your periphery) • BYOD • Unsecured public wi-fi • Partners/providers Salient Proprietary | www.salientcommercial.com 39 Top Business Tips • Adopt a corporate process to properly manage your cyber risk as part of overall risk management portfolio • Include in enterprise risk management (reporting to leadership team and board of directors) • Technical prevention alone is never enough • Policies/tools to reduce impact of breaches • Incident response (table top exercises, crisis management team) Salient Proprietary | www.salientcommercial.com 40 Top Business Tips • Develop a culture of security awareness (including user training) • Human behavior resists efforts to control • Social Engineering – spear phishing, watering holes • The best security prevention is crowdsourcing – i.e. responsibility of all employees Salient Proprietary | www.salientcommercial.com 41 Top Business Tips • Inventory and classify all information assets (to inform your risk calculus) • Seek compliance against relevant government and industry standards for your market • Partner with legal, compliance and internal audit • NAIC Principles • Conduct an annual independent 3rd party testing to benchmark your program and determine gaps Salient Proprietary | www.salientcommercial.com 42 Contact Information and Q&A Thank you for your attention during today’s presentation. For more information, please contact: Brian Denny Security Audit Lead brian.denny@SalientCommercial.com www.SalientCommercial.com And now, to our Q&A portion of today’s event. Salient Proprietary | www.salientcommercial.com 43
