View
220
Download
0
Category
Preview:
DESCRIPTION
3 Salient Proprietary | Our Burning Question… Why isn’t our industry – especially small to midsized carriers – more proactive when it comes to cyber security?
Citation preview
1 Salient Proprietary | www.salientcommercial.com
Hack-a-thon Results and Cyber Risk
The Evolving LandscapeBrian Denny, Security Audit LeadDecember 3, 2015
2 Salient Proprietary | www.salientcommercial.com
Agenda
• Burning question• Our “Hack-a-thon” experience• What we learned• Technical tips for resolution• Business tips for resolution
3 Salient Proprietary | www.salientcommercial.com
Our Burning Question…
Why isn’t our industry – especially small to midsized carriers – more proactive when it
comes to cyber security?
4 Salient Proprietary | www.salientcommercial.com
Our Burning Question…
May 2014233 million credentials and PII
5 Salient Proprietary | www.salientcommercial.com
Our Burning Question…
June 20142.6 million debit/credit cards
6 Salient Proprietary | www.salientcommercial.com
Our Burning Question…
June 20144.5 million SSN and personal data
7 Salient Proprietary | www.salientcommercial.com
Our Burning Question…
August 201476 million consumers, 7 million small businesses
8 Salient Proprietary | www.salientcommercial.com
Our Burning Question…
September 201456 million debit/credit cards
9 Salient Proprietary | www.salientcommercial.com
Our Burning Question…
October 20141.2 million credit cards
10 Salient Proprietary | www.salientcommercial.com
Our Burning Question…
November 2014Emails and personnel data
11 Salient Proprietary | www.salientcommercial.com
Our Burning Question…
February 201580 million customers’ PII
12 Salient Proprietary | www.salientcommercial.com
Our Burning Question…
March 201511 million financial and medical records
13 Salient Proprietary | www.salientcommercial.com
Our Burning Question…
4.2 millionOPM security files Employees Applicants Family/Friends References PII Mental health info Drug/alcohol use 1.1M fingerprints
22.1XXXX
14 Salient Proprietary | www.salientcommercial.com
Our Burning Question…
Over 70% of companies do not disclose breaches
It’s no longer a question of IF but WHEN you will have a cyber incident
15 Salient Proprietary | www.salientcommercial.com
Most Common Responses
• Higher priorities (both business and IT)• Budget and resource constraints• How do I begin? Where do I start?• Hackers wouldn’t be interested in our company• We took care of that last year
• Ongoing• Evolving• Persistent
16 Salient Proprietary | www.salientcommercial.com
Most Common Responses
• IT handles thatCyber security is NOT an IT issue!
Protecting the company and its data is a business risk management responsibility
• Fiduciary • Liability • Public Relations/Reputation• Consumer confidence
17 Salient Proprietary | www.salientcommercial.com
What can we do?
• How can we demonstrate the need for urgency?
• What if we convinced 10 insurance companies to let us try to hack into their systems?
18 Salient Proprietary | www.salientcommercial.com
Who participated?
• Wide range of companies• Personal, Commercial, Workers’ Comp, Niche, Life• $10M - $500M• Stock, Mutual, Privately Held, Non-Profit• Spread across US
19 Salient Proprietary | www.salientcommercial.com
What did we do?
• A brief, focused assessment to quickly: • Illustrate immediate risks• Provide a high-level view of security
posture
Meant to illustrate what an attacker’s first steps would be when pursuing access to a target network
Aimed to identify vulnerabilities in network perimeter, and to provide feedback outlining potential attack vectors
20 Salient Proprietary | www.salientcommercial.com
What did we do?
• Step 1 – Open source research of a target and its Internet presence
• Step 2 – Two discrete tasks to test for vulnerabilities:• Active Scanning – simulating a real attacker by
scanning the target to identify remotely accessible services and associated vulnerabilities
• Spear Phishing – sending targeted “phishing” emails to users to illustrate possibility of perimeter bypass
21 Salient Proprietary | www.salientcommercial.com
Active Scanning
• What?• Performed remote scans from external infrastructure
• Leveraged publicly available tools• Probed Internet facing presence• Assessed common ports and protocols
• Focused on vulnerability discovery rather than exploitation of target network
whois
digDNS brute force
22 Salient Proprietary | www.salientcommercial.com
Active Scanning
• Why?• Public-facing servers and services they provide are
the front doors to an organization's network • Default configurations, along with poor security
settings, leak information that can be extremely useful to an attacker
• With knowledge about types of systems and software, research can be done to find or develop exploits tailored to gain access to sensitive and proprietary information and systems
23 Salient Proprietary | www.salientcommercial.com
Active Scanning
• Why?• Once an initial foothold is gained, an attacker has a
platform from which he/she can explore more areas that are supposed to be quarantined from the public Internet
24 Salient Proprietary | www.salientcommercial.com
What were the results?
100% of companies had vulnerabilities
9 out of 10 had MINOR vulnerabilities10 out of 10 had MODERATE vulnerabilities
8 out of 10 had CRITICAL vulnerabilities
25 Salient Proprietary | www.salientcommercial.com
What were the results?
24%
59%
17%
256 Total Vulnerabilities
Minor
Moderate
Critical
26 Salient Proprietary | www.salientcommercial.com
What were the results?
Denial of ServiceVPN Vulnerabilities
OverflowCross Site Scripting
Man-in-the-middleSSL Vulnerabilities
Information Disclosure
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Common Scanning Vulnerabilities by Cat-egory
27 Salient Proprietary | www.salientcommercial.com
Prominent Overarching Theme
The root cause was the lack of security updates that allowed
stolen user credentials
70% of the most common scanning errors could have been avoided by
applying available updates and patches
An unpatched vulnerability in Windows was taken
advantage of by 3rd party
28 Salient Proprietary | www.salientcommercial.com
Spear Phishing
• What?• Performed targeted “phishing” of client users
• Regular phishing scams / emails cast a large net, attempting to lure many users into performing certain actions
• Spear phishing is much more focused, targeting specific users with relevant content (far more effective and believable)
29 Salient Proprietary | www.salientcommercial.com
Spear Phishing
• What?• Mimicked client website and internal email user
ValidUser@smithcompany.com vs. ValidUser@srnithcompany.comhttps://vpn.smithcompany.com vs. https://vpn.srnithcompany.com
• Used valid SSL certificates, which prevented browsers from warning users about an “untrusted connection”
30 Salient Proprietary | www.salientcommercial.com
Spear Phishing
• What?• Requested users visit our spoofed site and enter their
credentials to verify access• If user clicked our link, our server recorded the IP
address and browser user agent string for every connection received
• If user submitted the login form:• Server securely logged his or her credentials• Redirected connection to the authentic site, if it existed (if not, user was
presented with a “login failed” message)• From there, the user could log in normally
31 Salient Proprietary | www.salientcommercial.com
Spear Phishing Sample
32 Salient Proprietary | www.salientcommercial.com
Spear Phishing
• Why?
• Illustrates a common security bypass/perimeter breach technique
• Even if a client’s perimeter is secure (i.e., not remotely exploitable), “client side exploits” pose a real threat
Hackers got into eBay after obtaining login credentials from employees allowing them to access the corporate network.
33 Salient Proprietary | www.salientcommercial.com
Spear Phishing
• Why?• If an internal user can be lured to initiate an outbound
connection, a remote attacker can potentially have a vector to deliver malicious code to the target user on the inside of the network • This vector wouldn’t exist if the client user didn’t initiate a connection to
the attacker’s server• This enables the possibility for the attacker to exploit a client application
(e.g., the web browser making the connection)• That is, a “client side attack or exploit”
34 Salient Proprietary | www.salientcommercial.com
Spear Phishing
Why?
If a remote VPN is present, captured credentials can give an attacker immediate, authenticated access to a network
If not present, credentials can still be used to access internal legitimate corporate email Theft of IP and PII
May enable further attacks
35 Salient Proprietary | www.salientcommercial.com
What were the results?
8 of the 10 companies fell prey to our spear phishing email
Average of 52% of users clicked on fake link
Average of 42% gave us their credentials
36 Salient Proprietary | www.salientcommercial.com
What were the results?
• Clicking on email link using old browsers allow exploitation of browser into internal network (CRITICAL)
• Clicking on email link using current or unknown browsers allows information leakage (MINOR)
• Entering credentials where remote SSL VPN exists gives immediate access to internal systems (CRITICAL)
• Entering credentials where no remote SSL VPN exists gives access to email server (MODERATE)
• Recommendation: User education
37 Salient Proprietary | www.salientcommercial.com
What did we learn?
• We must be proactive as well as reactive• Risk management• Mitigation strategy• Incident response
• Cyber security is never once and done
• Everyone is a target – either directed or opportunistic
38 Salient Proprietary | www.salientcommercial.com
Top Technical Tips
Comply with the SANS Top 20 Critical Security Controls including these quick hits
Close all unneeded ports ("default deny" mindset)
Regularly patch all systems (including devices, servers, and workstations)
Create and enforce complex password requirements
39 Salient Proprietary | www.salientcommercial.com
Top Technical Tips
• Move to 2-factor authentication for remote access to your networks
• Use S/MIME for digital signatures (to protect against e-mail spoofing)
• Invest in monitoring and prevention capabilities within your enterprise
• Subscribe to data sharing service (threat intelligence)• Be aware of increased attack surface (protect your periphery)
• BYOD• Unsecured public wi-fi• Partners/providers
40 Salient Proprietary | www.salientcommercial.com
Top Business Tips
• Adopt a corporate process to properly manage your cyber risk as part of overall risk management portfolio • Include in enterprise risk management (reporting to leadership team
and board of directors)• Technical prevention alone is never enough • Policies/tools to reduce impact of breaches• Incident response (table top exercises, crisis management team)
41 Salient Proprietary | www.salientcommercial.com
Top Business Tips
• Human behavior resists efforts to control
• Social Engineering – spear phishing, watering holes
• The best security prevention is crowdsourcing – i.e. responsibility of all employees
• Develop a culture of security awareness (including user training)
42 Salient Proprietary | www.salientcommercial.com
Top Business Tips
• Inventory and classify all information assets (to inform your risk calculus)
• Seek compliance against relevant government and industry standards for your market• Partner with legal, compliance and internal audit• NAIC Principles
• Conduct an annual independent 3rd party testing to benchmark your program and determine gaps
43 Salient Proprietary | www.salientcommercial.com
Contact Information and Q&A
Thank you for your attention during today’s presentation. For more information, please contact:
Brian DennySecurity Audit Lead
brian.denny@SalientCommercial.comwww.SalientCommercial.com
And now, to our Q&A portion of today’s event.
Recommended