Official Use Only
Tony H. McMahon
MITS Director, Transition 2
Program Manager
Cust.Acct. Data Eng. Program Office
Washington, DC
Giselle C. Joseph
IT Security Specialist
MITS CyberSecurity Operations
Houston, Texas
1
Official Use Only
 Largest IT environment of any U.S. civilian agency
 More PII than any other government agency
 Process $2.5T of revenues
 Complex & diverse IT infrastructure
 Complex & diverse business processes utilizing many channels (e-file,
paper, internet, phone, walk-in)
 80% of American Taxpayers will file electronically by the year 2012
 700 + POD’s
2
Official Use Only
Top 10 Attacking Countries (denied)
United States (US)
China (CN)
No Country
Code
3
Official Use Only
Hit Count
14,911,704
1,101,127
Canada (CA)
668,888
Great Britain (GB)
145,444
Japan
106,340
Germany (DE)
98,002
Europe (EU)
55,002
Korea (KR
47,437
Netherlands (NL)
46,623
Russia (RU)
37,005
Hit Count is
Based on every
3 months
 DATA– All information used and transmitted by
the organization
Sensitive But Unclassified (SBU) SBU data
refers to sensitive but unclassified information originating
within IRS offices. [Ex: Personal, Tax Return Information,
Personally Identifiable Information (PII).. PII
includes the personal data of taxpayers, and also the
personal information of employees, contractors, applicants,
and visitors to the IRS [Ex: Home addresses, Names,
Social Security Numbers,
National Security Information - Cyber
Espionage
 HARDWARE- Desktop computers, servers,
wireless access points (APs), networking
equipment, and telecommunications
connections etc…
 SOFTWARE- Application programs, operating
systems, and security software etc…
4
Official Use Only
 No one knows who I am on the
Internet
 The Internet is a virtual world, so
nothing bad can happen to me
 Security software (anti-virus,
firewall, etc.) will protect me
 The IRS will protect me
 Law enforcement will protect me
5
Official Use Only
5
Web-based attack activity, 2009–2010
Source: Symantec Corporation
6
Official Use Only
Who are they?
No longer just technogeeks.
GANGS/GROUPS
►Criminal gangs
.
►Employ individuals or groups of hackers to steal PII,
credit card & banking information.
►Hacker Gangs
►Create & sell botnets & hacker tools
►Sometimes engage in activity to wage cyber war on
each other or to boost their reputation.
► Political or religious groups
►Hacking for military and commercial secrets & to inflict
damage.
Well resourced - Funded
by criminal
Hackers,
Attackersenterprises,
or Intrudersnations,
political or religious entities.
Script Kiddies
Glory
Motivated
Computer
Spy
Financial
Profit
Employees
Political Motivated
Cybercriminals
Religious Groups
Cyberterrorists
7
Official Use Only
“They have Shift from “Glory-Motivated-Vandals” to
“Financially-Politically-Motivated-Cyber-Crime
Joseph McElroy
Hacked US Dept
of Energy
Chen Ih Hua
CIH Virus
Jay Echouafni
Competitive DDoS
Jeremy Jaynes
$24M SPAM KING
8
Official Use Only
•
Jeffrey Lee Parson
Blaster-B copycat
Andrew Schwarmkoff
Russian Mob Phisher
Photos from colleagues at F-Secure
 Highly motivated, professionally trained & equipped adversaries
 Espionage and sabotage aimed at US Government, Military & Commercial sites
 Strategic & Tactical Attacks
 Threat to the military & economic security of the United states
9
Official Use Only
Social Engineering
Phishing, Pharming etc…
Malware (Malicious Code)
Viruses, Trojans, Spyware, Spam, Botnets etc…
Network Vulnerabilities & Attacks
Weak Passwords, Backdoors, DoS, Spoofing, etc…
Hardware Base Attacks
USB drives, Cell phones etc…
Web Browser Attacks
Cookies, Active X etc…
Communication Based Attacks
Instant Messaging (IM), peer-to-peer (P2P) etc…
Wireless Attacks & Protocol-Based Attacks
War Driving, Bluesnarfing etc…
Difficulties in Defending Against Attackers
Speed, Sophistication & Simplicity of Attacks etc…
Lack of Education and Training (Security Awareness)
Smart People doing ‘NOT So Smart Things’
Donate computer with uncleaned disk w/o sanitization.
10
Official Use Only
Social Engineering Tactics
Social Engineering is the act of
manipulating people into performing
actions or divulging confidential
information. While similar to a
confidence trick or simple fraud, the
term typically applies to trickery or
deception for the purpose of
information gathering, fraud or
computer system access; in most cases
the attacker never comes face-to-face
with the victim.
►
E-Mail
Phishing, Pharming,
Computer hoaxes etc…
Combat Social Engineering:
►
►
►
►
►
►
►
►
Telephone
►
►
In Person
►
Shoulder Surfing, Stealing,
Browsing
►
Dumpster Diving
►
Internet
Unsafe Web Sites
►
In Writing
11
Official Use Only
►
►
►
Never reveal or share your password
Never provide information about IRS
systems & networks.
Never change your password to
something that another person has
requested.
Never disclose Sensitive & Official Use
Only (OUO) information.
Never reply to e-mail messages that
request your personal information.
Never click links in suspicious e-mail.
Never unsubscribe from Email unless
it’s a reputable business.
Never download from the Internet on
IRS computers.
Always be careful whom and where you
download from on home computers.
Always verify the identity of callers
Always discard sensitive information
appropriately (shred, locked burn bens
etc…)
When dealing with companies make
sure you do your homework to ensure
that they are legitimate Better Business
Bureau (BBB).
Malware is software that enters a computer system without the owner’s knowledge
or consent. Malware is also referred to as Malicious Code or Malicious Content.
Malware's most common pathway from criminals to users is through the Internet:
primarily by e-mail and the World Wide Web. Malware is a variety of
damaging and/or annoying software.
MALWARE
Three main objectives of Malware:
Infecting Malware:
Viruses, Worms
Concealing Malware: Trojan Horses, Rootkits, Logic Bombs, Backdoors, and Privilege Escalation
Malware for Profit:
Spam, Spyware, and Botnets
12
Official Use Only
Trojan Horse or Trojan, are a type of malware that disguise themselves as
legitimate, it is destructive program that masquerades as an application. When an
end-user attempts to install or run the seemingly-benign executable file, their
system becomes infected with malicious code, which gives an attacker access to
the user’s privileges and sensitive information. [Malware]
Trojans are approximately 90% of the Malicious code
events detected by IRS every quarter.
80% or more of these Trojans come from Malicious Websites
According to Symantec, Trojans are the Most important source
of potential infections.
In 2010, 56 percent of the volume of the top 50 malicious code samples
reported were classified as Trojans—the same percentage as in 2009.
Trojan
Horses




Spyware
(Malware)
Spyware is a general term used to describe software that violates a user’s
personal security. Spyware creators are motivated by profit: generate income
through advertisements or by acquiring personal information and may change
configurations. Although attackers use several different spyware tools, the two
most common are adware and key loggers.
Adware (Spyware tool) typically display advertising banners or pop-up Ads or opens Web browser while
user is on the Internet.
Keylogger (Spyware tool) is a small hardware device or a program that monitors each keystroke a user
types on the computer’s keyboard.
Spyware usually performs one of the following functions on a user’s computer: Advertising, (Pop-ups),
Collecting personal information or Changing computer configurations.
NOTE: Your Personal Information can be obtained through [zabasearch.com, & Spokeo,]
13
Official Use Only
PHISHING
Phishing is an attack that sends an e-mail or displays a Web announcement
that falsely claims to be from a legitimate enterprise in an attempt to trick
the user into surrendering private information. [Social Engineering]
Phishing is a way of attempting to acquire sensitive information such as usernames, passwords
and credit card details by masquerading as a trustworthy entity in an electronic communication.
► Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter
details at a fake website whose look and feel are almost identical to the legitimate one.
► Phishers like to use variations of a legitimate address ex: www.ebay_secure.com
► In many cases when clicking open pop-ups it will attach Malware to your computer.
SPAM is unsolicited, junk e-mail. It continues to escalate through the
Internet. On average it costs U.S. Organizations $1000.(or more) per person
annually in lost productivity. [Social Engineering / Malware]
SPAM
Most SPAM comes in forms of Chain letters, Jokes, Hoaxes, and Advertisement.
► Botnets, networks of virus-infected computers, are used to send about 80% of spam.
► Spammers collect e-mail addresses from chatrooms, websites, customer lists, newsgroups, and
viruses which harvest users' address books, and are sold to other spammers.
► Spam averages 80% of all e-mail sent with many containing attachments of Malware.
► In the year 2011 the estimated figure for spam messages are around seven trillion.
NOTE: For Hoaxes check out Snoopes.com and/or TruthorFiction.com
14
Official Use Only
Web
Browsing
Web Browsing – Surfing the web can often lead to unsafe websites. In addition,
There are many E-mail messages that direct users to unsafe websites. [Phishing]
UNSAFE WEB SITES –Many legitimate web sites unknowingly have been infected and have malware attached
to downloads. Users should never log on to a web site from a link in an e-mail; instead they should open a
new browser window and type the legitimate address.
► IRM 10.8.27.3 (1) states “Employees should not download unauthorized program. DOWNLOADING NOT
PERMITTED.
► Any Web site in which the user is asked to enter personal information should start with “https” instead of “http”
and should include a padlock in the browser status bar.
► One way to check the links in an e-mail you receive is to place your mouse cursor over the link BUT DO NOT
CLICK. This will display the true link as shown in the image below.
Removable
Media
Removable Media is designed to be removed from the computer without
powering the computer off. Despite advantages, Removable media are widely
used to spread malware. [Hardware Based Attack]
REMOVABLE MEDIA – Some types of removable media are blu-ray discs, DVDs, CDs, Memory Cards, Floppy
disks, Magnetic tapes, paper data storage, USB drives etc.. iPods, MP3 Players, digital cameras, and smart
phones connected to your computer system are also considered to be removable media.
► In 2010 IRS saw an increasing trend of malware related infections resulting from users connecting either IRS
issued or personally owned removable media to IRS systems.
15
Official Use Only
Botnets – One of the popular payloads of malware today that is carried by
Trojan horses, worms and viruses is a program that will allow the infected computer
To be placed under the remote control of an attacker. This infected “robot”
Computer is known as a zombie. When hundreds, thousands, or even tens of
Thousands of zombie computers are under the control of an attacker, this creates
A botnet. [Malware]
Botnet
(Malware)
Botnets enables attackers to send massive amounts of spam, harvest e-mail
addresses, spread malware, manipulate online polls, denying services, flooding
Servers with request until servers cannot respond or function properly.
Denial of
Service Attacks
Zero Day
Attacks
NOTE: Although DoS attacks are not widespread on wireless networks, inadvertent
Interference from other RF devices (cordless telephones, microwave ovens, baby monitors)
Can sometimes actually cause DoS. When slow transmission happens either turn them
Off or cut them off.
Zero-Day Attack - This type of attack occurs when an attacker discovers and exploits
A previously unknown flaw, providing “zero days’ of warning.
16
Official Use Only
A denial-of-service (DOS) attack attempts to consume network resources so that
The network or its devices cannot respond to legitimate requests.
Network Attacks
Network Attacks – Networks have been the favorite targets of attackers for several reasons.
An attacker who can successfully penetrate a computer network might have access to
hundreds and or even thousands of desktop systems, servers, and storage devices. Also,
Networks have had notoriously weak security, such as default passwords left set on
Network devices. And because networks offer many services to users, it is sometimes
Difficult to ensure that each service is properly protected against attackers.
Network Vulnerabilities: weak passwords, default accounts, backdoors, and privilege
escalation.
Network Categories and Methods of Attacks: denial-of-service, spoofing,
man-in-the-middle, and replay attacks, protocol-based or wireless etc…
Communication
Based Attacks
Wireless Attacks
17
Official Use Only
Communication Based Attacks – Some of the most
common communications-based
Attacks are SMTP open relays, instant messaging,
and peer-to-peer (P2P) networks.
Wireless Attacks – As wireless networks have
become commonplace, new attacks have
Been created to target networks.
These attacks include rogue access points,
war driving, Bluesnarfing, and blue jacking.
www.phishing@irs.gov
www.spam@irs.go
Many Emails may lead to unsafe websites
<A>
Billing:Bulletin
Pxxx xxx
containingEmail
MaliciousEntitled
Code or trying to
IRS CSIRC
- 03022011-001-Bulletin Either
Malicious
Obtain personal information. (Look at the address link)
"W-2
form
update" in Circulation
<A> xxx
xxx
Road
<A>
Suite
400
What is
the problem?
The CSIRC team is aware of malicious code circulating via phishing email messages entitled "Important: W-2 form
<A>
xxx, CA xxx
update". These email messages appear to come from the Internal Revenue Service and offer a link that suggests it
will take you to the "updated version of the W-2 form". The link contained within the email messages seem to be
<A>
US
legitimate but is in fact a way of luring unsuspecting users into downloading malicious software in the form of a Trojan.
<A> Phone: xxxxxx7605
Pictured below is an example of the recent phishing message currently in circulation, the incorrect punctuation and
<A>
e-mail:
pxxx.xxx@atf.gov
misspellings
are an immediate
red flag. However, this threat could take virtually any form as the subject and content
could vary according to the objective of the true sender.
<A> Payment Method: Credit Card
<A> Name On Card: Pxxx x. xxx
<A> Credit Card #: 5568xxxxxxxxxxxx
<A> Credit Type: MasterCard
<A> Expires: 05/2009
<A> CVV2: 421
FALSE – This notice is yet another redirection scam (also known as “phishing”)
Intended to deceive recipients into disclosing their card information, account
Information, social security numbers, passwords and other sensitive information.
##
Official Use Only
18
www.phishing@irs.gov
www.spam@irs.go
Attackers take advantage of major
events to get monies or to expose
your computer to a Malicious Code.
##
Official Use Only
19
One of the most common ways for cybercriminals to steal money from people is through the
use of fake security software, according to the most recent Microsoft Security Intelligence
Report.
This kind of software is also known as “scareware” or “rogue security software.”
Cybercriminals use it to scare people into downloading more malicious software onto their
computer or pay for a fake product. For more information, see Watch out for fake virus alerts.
Here are examples of the graphics used by cybercriminals trick you into downloading their
security software.
Microsoft Security Tips
20
Official Use Only