Upload
others
View
8
Download
0
Embed Size (px)
Citation preview
Cyber Crime What's YOUR Weakest Link?
The Secure Software Acquisition Process – C Level
1
Who am I?
• Chair Computer Information Systems Department University of Detroit Mercy
• Director Center for Cyber Security and Intelligence Studies
• Former Employee (on educational leave) Ford Motor Company IT Security & Strategy
• Student University of Michigan Dearborn PhD Program – Writing dissertation
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting) 2
Who are we?
3
Undergraduate Student
Sam Rassam
University of Detroit Mercy
Undergraduate Student
Kyle Cisco
University of Detroit Mercy
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting)
Aspirations
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting) 4
At the end of this presentation you will have a better
understanding of:
• The cyber risks you face as business owners
• The behaviors and technologies that put you at risk.
• The steps you can take to protect yourself
• The places you can go to learn more
Cyber Crime in General
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting) 5
• Popular accounts suggest that cybercrime is large,
rapidly growing, profitable and highly evolved.
• Annual loss estimates range from billions to nearly $1
trillion.
• Some claim cybercrime rivals the global drug trade in
size
• Estimates may be enormously exaggerated, but it
would be a mistake not to consider cybercrime a
serious problem
• Cybercrime is actually a relentless, low-profit struggle
for the majority.
• You have the power to limit your vulnerability to cyber
crime. *Source: The Cybercrime Wave That Wasn’t By DINEI FLORÊNCIO and CORMAC HERLEY, Published: April 14, 2012
What do they want?
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting) 6
• Assets that can be turned into money
• SSNs
• Bank accounts
• Credit Card accounts
• Identities
• Access to physical things
• Cars
• Places of business
• Underage candidates for exploitation
How do they get it?
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting) 7
Accepting without reading
• While browsing the Internet, an Internet advertisement
or window appears that says your computer is infected
or that a unique plug-in is required. Without fully
understanding what it is you're getting, you accept the
prompt.
• When installing or updating a program, you're prompted
(often checkboxes are already checked) if it's ok to
install additional programs that you may not want or are
designed to monitor your usage of the program.
Best defense: awareness training;
How do they get it?
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting) 8
Opening e-mail attachments
• Another very common way people become infected
with viruses and other spyware is by opening e-mail
attachments, even when from a co-worker, friend, or
family member. E-mail addresses can be faked and
even when not faked your acquaintance may
unsuspectingly be forwarding you an infected file.
• When receiving an e-mail with an attachment, if the e-
mail was not expected or from someone you don't know
delete it. If the e-mail is from someone you know, be
cautious when opening the attachment.
Best defense: awareness training; type in urls; email
scanner
Hands-on Demo #0 Wireless attack on an iphone
The Secure Software Acquisition Process – C Level
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting) 9
• Sniff iPhone wifi traffic even on https
connections
• Obtain user ID and password for email
account, credit card account, bank account
How do they get it?
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting) 10
Not running the latest updates
• Many of the updates, especially those associated with
Microsoft Windows and other operating systems and
programs, are security updates. Running a program or
operating system that is not up-to-date is a big security
risk.
Best defense: turn on automatic updates
How do they get it?
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting) 11
Pirating software, music, or movies
• Using underground places on the Internet where you're
downloading copyrighted music, movies, software, etc.
for free, often many of the files can contain viruses,
spyware or malicious software.
Best defense: don’t allow torrents; DNS filtering;
How do they get it?
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting) 12
No antivirus spyware scanner
• If you're running a computer with Microsoft Windows it's
highly recommended you have some form of antivirus
and spyware protection on that computer to help clean it
from any infections currently on the computer and to
help prevent any future infections.
Best defense: AVG antivirus/antispyware; defense in
depth
How do they get it?
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting) 13
USB attacks
• USB with company data is lost or stolen
• USB stick is found and inserted into a company
computer
Best defense: Full disk encryption; Encrypted USB
sticks; Removable media scanner (AVG)
Hands-on Demo #0 Computer on a stick
The Secure Software Acquisition Process – C Level
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting) 14
• Bypass all windows security and look at hard
drive
• Allows you to recover files from a broken OS
• Allows you to scan and repair
• Ubuntu 10.04 is easiest to use
How do they get it?
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting) 15
Wireless Attacks
• Company laptop or mobile device is used to access the
internet at a local coffee house, an airport, or a hotel. If
the access point is an imposter OR if the access point
uses WEP encryption OR if the access point uses WPA
with a dictionary password then all traffic will be
available to the attacker.
• HTTPS (SSL) is no help in this situation. An attacker
can easily strip it off.
Best defense: WPA2 or WPA with a strong key;
awareness training;
InternetCell Tower
$
Bank
Gmail
Google Calendar
Laptop
(Corporate)
PSP
iPhone
You
Blackberry
(Corporate)
Wireless Router
(Hotel)
Wireless Router
(Panera)
WiFi
WiFi
Acc
ount In
fo.
Cre
dit C
ard
Personal infoPersonal and
Corporate
Email & C
alendar
WiFi
Credit Card
Perso
nal a
nd
Corp
ora
te d
ata
Soccer
Registration
Hacker
I’m Listening!
Laptop
(Corporate)
WiFi
Your interconnectedness
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting) 16
• Purchases increasing at an annual growth
rate of more than 40%
• About 40% of corporate devices are
purchased by individuals who then use them
in the enterprise.
• Number one mitigation strategy for
organizations is limiting operating system
diversity
“We are going to limit ourselves to ONE risky
platform”
* Source International Data Corporation
Some numbers
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting)
Mobile Devices…
• iOS
• Proprietary code
• development uses objective-C and Cocoa
Touch
• Sold and distributed in Apple App Store
(or marketplace your company “buys”)
• Android (most sales in 2010)
• Open Source
• Development takes place using (primarily)
Java
• Sold in the Android Market and third party
stores
Mobile Devices…
How is software developed?
Apple, Android, RIM and Symbian = 89% of the
market
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting)
• Assurance
• iOS
• Apple inspects code for usage they don’t
like.
• Apple makes “recommendations”
• Proprietary nature reeks of risk
• No warnings about accessing resources
• Android
• Some code inspection depending on the
marketplace where the app is sold
• Open source nature smells better
• Warnings about accessing resources
Mobile Devices…
How is software assured?
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting)
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting)
Mobile Devices…
• Hosting
• iOS
• Runs through apple (messes up DNS)
• Could be hosted by provider
• Could be hosted by advertiser
• Could be hosted by you
• Android
• Could be hosted by provider
• Could be hosted by advertiser
• Could be hosted by you
Where is software hosted?
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting)
Mobile Devices…
• First Symbian malware (2004):
• Cabir worm (spread via Bluetooth)
• Skuller (spread via OS vulnerability)
• First iPhone virus (2009):
Ike worm targeted jail broken iPhones Written by a Dutch hacker who was ripped off by a punk hacker. It
targeted jailbroken phones running SSH
• First Android Malware (2010)
Trojan-SMS.AndroidOS.FakePlayer Distributed via websites not Android Market. Written by Russian
virus writers.
Mobile Malware Still waiting for the mushroom cloud
• 1 in 3 breaches attributed to mobile devices
includes lost or stolen devices
• Cyber criminals have moved to easier smaller
targets
• Healthcare and hospitality
• Malware, hacking, and physical compromise
were 5 of top 10 events in Verizon report
• Others were malware, hacking of servers
• Breaches are not matching increased usage
• My speculation is that people don’t report
loss of personally owned devices
Mobile Device Breaches
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting) 22
• Converged mobile devices sales is greater than
laptop sales
• Gen Y has shown a propensity to accept risk
• There is a lack of awareness of the differences
between an app and an enterprise application
• Antivirus / antispyware tools are available but not
as powerful as their laptop counterparts
• Antivirus / antispyware tools are often disabled
because of performance
• There is a lack of awareness of the differences
between WiFi and Cellular technology
Why worry?
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting) 23
• Forensics
• There no established digital forensic
guidelines that specifically address the
investigation of cloud computing systems.
Computer Law and Security Review, 2010
• How can you verify that the forensic evidence
has NOT been altered?
• UK Information Commissioner’s Office
(ICO,2010) recommends that all data be
encrypted prior to being sent to the cloud
• The acquisition and analysis of evidence from
cloud computing systems is going to be more
complex and in some cases impossible.
Cloud Computing…
Watch out for…
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting) 24
• Exposure
• Law enforcement agencies need warrants to
enter you premises, search your files and pull
out incriminating documents.
• It needs the same warrant for files on your
computer
• Does the same standard apply if your
information is stored in online servers
operated by cloud computing providers? See 1986’s Electronic Communications Privacy Act.
Cloud Computing…
Watch out for…
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting) 25
Hardening
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting)
• Turn off services you don’t need
• ftp, telnet
• Use Microsoft Configuration Manager
• In Windows Server 2012, the Security
Configuration Wizard is located in the Server
Manager dashboard
• Use a Mac OS X Server Hardening Checklist
• Several are available online
• Use a standard load
• Have a way of backing up and restoring (e.g.
cloning software)
Server Hardening
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting) 27
• Antivirus/Antispyware
• AVG Free 2012
• Firewall
• Comodo
• Antivirus/Antispyware #2
• Spybot Search an Destroy
• Encryption
• TrueCrypt
• DNS
• OpenDNS
• Virtualization
• VirtualBox
PC/Laptop hardening
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting) 28
• iPhones were not built for the enterprise
• iPhone forensics can be performed on the backups made by iTunes or directly on the live device.
• The bad: iphone backups are not encrypted by default
• The good: Apple makes it harder to read the data by adding level of encryption to the file (using a key from the phone)
• The bad: it’s still crackable
iPhone Hardening
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting)
• Every time you hit the home key, iphone takes a snapshot
iPhone Hardening
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting)
• Dynamic Dictionary • iPhones keep a “secret” file in the file system
called dynamic dictionary.dat. This file records keystrokes on the iPhone for the purpose of improving the recognition of words you type. (text messages, emails, other applications. Do you type in your passwords?
iPhone Hardening
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting)
• Google.com searches
The iphone keeps track of your google.com searches! The upper limit is unknown but 80,000 hits is not too many.
iPhone Hardening
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting)
8th circuit: U.S. V. Kramer, the court imposed a lengthier sentence because Kramer used his Motorola Razor to lure an underage girl across state lines. The court concluded that the phone was a “computer” (even that “dumb” phones should be considered computers)
Is your phone a computer?
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting)
Update Your Software
• To begin the software on the device must be update.
• The screen should look like the right figure if the software is up to date.
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting)
Passcodes
• Next you will want to Turn Passcode On
• You will want a Required Passcode as soon as the screen is locked
• You will also want the phone to erase the data if the password is incorrectly entered 10 times.
The Passcode Lock screen
should look like this Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting)
Safari Security
• Next you will have to enable the Fraud Warning and Block Pop-ups on Safari this can be done on the screen to the right.
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting)
Wi-Fi Networks
• Wi-Fi settings are the next thing that will need to be adjusted.
• “Ask to Join Networks” so that…
• You will also only want to join secure networks, this will be shown by a lock next to the network name.
After using a wi-fi network you will
want to click on the network and
choose to “forget the network”
Bluetooth Settings
• Next you will always want to turn off Bluetooth on the device when not in use. This can be done here.
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting)
iTunes Security
• Always back up the data from your mobile device through iTunes. Make sure the back up is encrypted.
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting)
Guidelines to Live By
• Always erase all data off the device before repair or service. The use of a 3G network is more secure than the use of a wireless one.
• The use of a alphanumeric password is more secure than the average simple 4 number password.
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting)
If You Lose Your Device
• Location Tracking Certain applications will allow for tracking of your apple device via the location services.
• It is also possible to wipe the phone remotely with these applications.
This application is “Find My iPhone”
application provided by Apple Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting)
Hands-on Demo #4 Compromising the iPhone via Siri
The Secure Software Acquisition Process – C Level
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting) 42
Hardening Your Android Device
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting)
Update Your Software
• To begin hardening your android device, the software on the device must be up to date.
• This can be done by going to device management and clicking on “check for updates”.
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting)
Password
Set up/Change the password to your device. This can be done under the location and security tab in settings.
• The screen will
look like this when
you are setting a new password.
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting)
Password Hints
• Once the password is set you will want to ensure that as soon as the screen is locked, a password will be required to access the device.
• There are also apps that can erase the data off a phone remotely incase the phone is lost. One of these applications is Google Sync and a remote wipe can be done from any computer.
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting)
Wi-Fi Settings
• The next thing that should be done is that the “auto connect” should be turned off. This will prevent the device from joining networks that you do not wish to join.
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting)
Network Security
• To find out if you are using a secure network, you can click on the network in the wi-fi settings.
• In the individual network you can view the type of security that the network has
• You can see that this has an Open Security.
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting)
Bluetooth
• Like the iPhone you will want to turn all Bluetooth off when not in use.
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting)
Wi-Fi Tips
• Once done using a Wi-Fi network you will want to go to the Wi-Fi settings and chose forget network. This will prevent from automatically rejoining the network.
• Another thing to remember is to always back-up and erase all data before sending a phone in for repair or replacement; this is also true if you chose to sell a device.
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting)
If You Lose Your Device
• Apps like Android Lost are good applications to have on your device if it is lost.
• This app can provide security for your device as well as erase the data remotely if it is lost.
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting)
Resources
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting) 52
• Risk Assessment (threat modeling)
• Reduces your risk by identifying threats and vulnerabilities
• Onsite investigation involves key employees
• Comprehensive report of findings
• Detailed recommendations
• Awareness training
• Reduces your risk by addressing individual behavior
• Onsite training can be individualized
• Hands-on, interactive sessions
248) 988-5844
(248) 417-5048
Jeff Ingalsbe
Chair - Computer Information Systems
Center for Cyber Security and Intelligence Studies
University of Detroit Mercy
For more information
Thursday April 11th, 2013 BOMA Metro Detroit (April Meeting) 53