Official Use Only Tony H. McMahon MITS Director, Transition 2 Program Manager Cust.Acct. Data Eng. Program Office Washington, DC Giselle C. Joseph IT Security Specialist MITS CyberSecurity Operations Houston, Texas 1 Official Use Only Largest IT environment of any U.S. civilian agency More PII than any other government agency Process $2.5T of revenues Complex & diverse IT infrastructure Complex & diverse business processes utilizing many channels (e-file, paper, internet, phone, walk-in) 80% of American Taxpayers will file electronically by the year 2012 700 + POD’s 2 Official Use Only Top 10 Attacking Countries (denied) United States (US) China (CN) No Country Code 3 Official Use Only Hit Count 14,911,704 1,101,127 Canada (CA) 668,888 Great Britain (GB) 145,444 Japan 106,340 Germany (DE) 98,002 Europe (EU) 55,002 Korea (KR 47,437 Netherlands (NL) 46,623 Russia (RU) 37,005 Hit Count is Based on every 3 months DATA– All information used and transmitted by the organization Sensitive But Unclassified (SBU) SBU data refers to sensitive but unclassified information originating within IRS offices. [Ex: Personal, Tax Return Information, Personally Identifiable Information (PII).. PII includes the personal data of taxpayers, and also the personal information of employees, contractors, applicants, and visitors to the IRS [Ex: Home addresses, Names, Social Security Numbers, National Security Information - Cyber Espionage HARDWARE- Desktop computers, servers, wireless access points (APs), networking equipment, and telecommunications connections etc… SOFTWARE- Application programs, operating systems, and security software etc… 4 Official Use Only No one knows who I am on the Internet The Internet is a virtual world, so nothing bad can happen to me Security software (anti-virus, firewall, etc.) will protect me The IRS will protect me Law enforcement will protect me 5 Official Use Only 5 Web-based attack activity, 2009–2010 Source: Symantec Corporation 6 Official Use Only Who are they? No longer just technogeeks. GANGS/GROUPS ►Criminal gangs . ►Employ individuals or groups of hackers to steal PII, credit card & banking information. ►Hacker Gangs ►Create & sell botnets & hacker tools ►Sometimes engage in activity to wage cyber war on each other or to boost their reputation. ► Political or religious groups ►Hacking for military and commercial secrets & to inflict damage. Well resourced - Funded by criminal Hackers, Attackersenterprises, or Intrudersnations, political or religious entities. Script Kiddies Glory Motivated Computer Spy Financial Profit Employees Political Motivated Cybercriminals Religious Groups Cyberterrorists 7 Official Use Only “They have Shift from “Glory-Motivated-Vandals” to “Financially-Politically-Motivated-Cyber-Crime Joseph McElroy Hacked US Dept of Energy Chen Ih Hua CIH Virus Jay Echouafni Competitive DDoS Jeremy Jaynes $24M SPAM KING 8 Official Use Only • Jeffrey Lee Parson Blaster-B copycat Andrew Schwarmkoff Russian Mob Phisher Photos from colleagues at F-Secure Highly motivated, professionally trained & equipped adversaries Espionage and sabotage aimed at US Government, Military & Commercial sites Strategic & Tactical Attacks Threat to the military & economic security of the United states 9 Official Use Only Social Engineering Phishing, Pharming etc… Malware (Malicious Code) Viruses, Trojans, Spyware, Spam, Botnets etc… Network Vulnerabilities & Attacks Weak Passwords, Backdoors, DoS, Spoofing, etc… Hardware Base Attacks USB drives, Cell phones etc… Web Browser Attacks Cookies, Active X etc… Communication Based Attacks Instant Messaging (IM), peer-to-peer (P2P) etc… Wireless Attacks & Protocol-Based Attacks War Driving, Bluesnarfing etc… Difficulties in Defending Against Attackers Speed, Sophistication & Simplicity of Attacks etc… Lack of Education and Training (Security Awareness) Smart People doing ‘NOT So Smart Things’ Donate computer with uncleaned disk w/o sanitization. 10 Official Use Only Social Engineering Tactics Social Engineering is the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud or computer system access; in most cases the attacker never comes face-to-face with the victim. ► E-Mail Phishing, Pharming, Computer hoaxes etc… Combat Social Engineering: ► ► ► ► ► ► ► ► Telephone ► ► In Person ► Shoulder Surfing, Stealing, Browsing ► Dumpster Diving ► Internet Unsafe Web Sites ► In Writing 11 Official Use Only ► ► ► Never reveal or share your password Never provide information about IRS systems & networks. Never change your password to something that another person has requested. Never disclose Sensitive & Official Use Only (OUO) information. Never reply to e-mail messages that request your personal information. Never click links in suspicious e-mail. Never unsubscribe from Email unless it’s a reputable business. Never download from the Internet on IRS computers. Always be careful whom and where you download from on home computers. Always verify the identity of callers Always discard sensitive information appropriately (shred, locked burn bens etc…) When dealing with companies make sure you do your homework to ensure that they are legitimate Better Business Bureau (BBB). Malware is software that enters a computer system without the owner’s knowledge or consent. Malware is also referred to as Malicious Code or Malicious Content. Malware's most common pathway from criminals to users is through the Internet: primarily by e-mail and the World Wide Web. Malware is a variety of damaging and/or annoying software. MALWARE Three main objectives of Malware: Infecting Malware: Viruses, Worms Concealing Malware: Trojan Horses, Rootkits, Logic Bombs, Backdoors, and Privilege Escalation Malware for Profit: Spam, Spyware, and Botnets 12 Official Use Only Trojan Horse or Trojan, are a type of malware that disguise themselves as legitimate, it is destructive program that masquerades as an application. When an end-user attempts to install or run the seemingly-benign executable file, their system becomes infected with malicious code, which gives an attacker access to the user’s privileges and sensitive information. [Malware] Trojans are approximately 90% of the Malicious code events detected by IRS every quarter. 80% or more of these Trojans come from Malicious Websites According to Symantec, Trojans are the Most important source of potential infections. In 2010, 56 percent of the volume of the top 50 malicious code samples reported were classified as Trojans—the same percentage as in 2009. Trojan Horses Spyware (Malware) Spyware is a general term used to describe software that violates a user’s personal security. Spyware creators are motivated by profit: generate income through advertisements or by acquiring personal information and may change configurations. Although attackers use several different spyware tools, the two most common are adware and key loggers. Adware (Spyware tool) typically display advertising banners or pop-up Ads or opens Web browser while user is on the Internet. Keylogger (Spyware tool) is a small hardware device or a program that monitors each keystroke a user types on the computer’s keyboard. Spyware usually performs one of the following functions on a user’s computer: Advertising, (Pop-ups), Collecting personal information or Changing computer configurations. NOTE: Your Personal Information can be obtained through [zabasearch.com, & Spokeo,] 13 Official Use Only PHISHING Phishing is an attack that sends an e-mail or displays a Web announcement that falsely claims to be from a legitimate enterprise in an attempt to trick the user into surrendering private information. [Social Engineering] Phishing is a way of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. ► Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. ► Phishers like to use variations of a legitimate address ex: www.ebay_secure.com ► In many cases when clicking open pop-ups it will attach Malware to your computer. SPAM is unsolicited, junk e-mail. It continues to escalate through the Internet. On average it costs U.S. Organizations $1000.(or more) per person annually in lost productivity. [Social Engineering / Malware] SPAM Most SPAM comes in forms of Chain letters, Jokes, Hoaxes, and Advertisement. ► Botnets, networks of virus-infected computers, are used to send about 80% of spam. ► Spammers collect e-mail addresses from chatrooms, websites, customer lists, newsgroups, and viruses which harvest users' address books, and are sold to other spammers. ► Spam averages 80% of all e-mail sent with many containing attachments of Malware. ► In the year 2011 the estimated figure for spam messages are around seven trillion. NOTE: For Hoaxes check out Snoopes.com and/or TruthorFiction.com 14 Official Use Only Web Browsing Web Browsing – Surfing the web can often lead to unsafe websites. In addition, There are many E-mail messages that direct users to unsafe websites. [Phishing] UNSAFE WEB SITES –Many legitimate web sites unknowingly have been infected and have malware attached to downloads. Users should never log on to a web site from a link in an e-mail; instead they should open a new browser window and type the legitimate address. ► IRM 10.8.27.3 (1) states “Employees should not download unauthorized program. DOWNLOADING NOT PERMITTED. ► Any Web site in which the user is asked to enter personal information should start with “https” instead of “http” and should include a padlock in the browser status bar. ► One way to check the links in an e-mail you receive is to place your mouse cursor over the link BUT DO NOT CLICK. This will display the true link as shown in the image below. Removable Media Removable Media is designed to be removed from the computer without powering the computer off. Despite advantages, Removable media are widely used to spread malware. [Hardware Based Attack] REMOVABLE MEDIA – Some types of removable media are blu-ray discs, DVDs, CDs, Memory Cards, Floppy disks, Magnetic tapes, paper data storage, USB drives etc.. iPods, MP3 Players, digital cameras, and smart phones connected to your computer system are also considered to be removable media. ► In 2010 IRS saw an increasing trend of malware related infections resulting from users connecting either IRS issued or personally owned removable media to IRS systems. 15 Official Use Only Botnets – One of the popular payloads of malware today that is carried by Trojan horses, worms and viruses is a program that will allow the infected computer To be placed under the remote control of an attacker. This infected “robot” Computer is known as a zombie. When hundreds, thousands, or even tens of Thousands of zombie computers are under the control of an attacker, this creates A botnet. [Malware] Botnet (Malware) Botnets enables attackers to send massive amounts of spam, harvest e-mail addresses, spread malware, manipulate online polls, denying services, flooding Servers with request until servers cannot respond or function properly. Denial of Service Attacks Zero Day Attacks NOTE: Although DoS attacks are not widespread on wireless networks, inadvertent Interference from other RF devices (cordless telephones, microwave ovens, baby monitors) Can sometimes actually cause DoS. When slow transmission happens either turn them Off or cut them off. Zero-Day Attack - This type of attack occurs when an attacker discovers and exploits A previously unknown flaw, providing “zero days’ of warning. 16 Official Use Only A denial-of-service (DOS) attack attempts to consume network resources so that The network or its devices cannot respond to legitimate requests. Network Attacks Network Attacks – Networks have been the favorite targets of attackers for several reasons. An attacker who can successfully penetrate a computer network might have access to hundreds and or even thousands of desktop systems, servers, and storage devices. Also, Networks have had notoriously weak security, such as default passwords left set on Network devices. And because networks offer many services to users, it is sometimes Difficult to ensure that each service is properly protected against attackers. Network Vulnerabilities: weak passwords, default accounts, backdoors, and privilege escalation. Network Categories and Methods of Attacks: denial-of-service, spoofing, man-in-the-middle, and replay attacks, protocol-based or wireless etc… Communication Based Attacks Wireless Attacks 17 Official Use Only Communication Based Attacks – Some of the most common communications-based Attacks are SMTP open relays, instant messaging, and peer-to-peer (P2P) networks. Wireless Attacks – As wireless networks have become commonplace, new attacks have Been created to target networks. These attacks include rogue access points, war driving, Bluesnarfing, and blue jacking. www.phishing@irs.gov www.spam@irs.go Many Emails may lead to unsafe websites <A> Billing:Bulletin Pxxx xxx containingEmail MaliciousEntitled Code or trying to IRS CSIRC - 03022011-001-Bulletin Either Malicious Obtain personal information. (Look at the address link) "W-2 form update" in Circulation <A> xxx xxx Road <A> Suite 400 What is the problem? The CSIRC team is aware of malicious code circulating via phishing email messages entitled "Important: W-2 form <A> xxx, CA xxx update". These email messages appear to come from the Internal Revenue Service and offer a link that suggests it will take you to the "updated version of the W-2 form". The link contained within the email messages seem to be <A> US legitimate but is in fact a way of luring unsuspecting users into downloading malicious software in the form of a Trojan. <A> Phone: xxxxxx7605 Pictured below is an example of the recent phishing message currently in circulation, the incorrect punctuation and <A> e-mail: pxxx.xxx@atf.gov misspellings are an immediate red flag. However, this threat could take virtually any form as the subject and content could vary according to the objective of the true sender. <A> Payment Method: Credit Card <A> Name On Card: Pxxx x. xxx <A> Credit Card #: 5568xxxxxxxxxxxx <A> Credit Type: MasterCard <A> Expires: 05/2009 <A> CVV2: 421 FALSE – This notice is yet another redirection scam (also known as “phishing”) Intended to deceive recipients into disclosing their card information, account Information, social security numbers, passwords and other sensitive information. ## Official Use Only 18 www.phishing@irs.gov www.spam@irs.go Attackers take advantage of major events to get monies or to expose your computer to a Malicious Code. ## Official Use Only 19 One of the most common ways for cybercriminals to steal money from people is through the use of fake security software, according to the most recent Microsoft Security Intelligence Report. This kind of software is also known as “scareware” or “rogue security software.” Cybercriminals use it to scare people into downloading more malicious software onto their computer or pay for a fake product. For more information, see Watch out for fake virus alerts. Here are examples of the graphics used by cybercriminals trick you into downloading their security software. Microsoft Security Tips 20 Official Use Only