Embed Size (px)
Citation preview
EMERGING CYBER RISKS FACING FINANCIAL SERVICES
Presented by The Risk Management Group
Scope
• Cybercrime explained• Key implications for financial services• A short Cyber Security overview• Conclusions• Q&A
Risk in one simple image
Threat factors
Threat agents
VulnerabilitiesExploit
Controls
Designed tocorrect
Risks
Lead to
Assets
Impact
so as to reduce
and protect
Cybercrime is
…committed via the Internet when…
1
…the target is digital material on a connected device, or…
2
…the aim is to disrupt systems or services.
3
Cyber threats 1980 1985 1990 1995 2000 2005 2010
PC viruses
Key-loggers
Worm
Rootkits
MSDOS virus
Spy ware
Phishing
DoS
DDoS
Spam
Session hijack
SQL Worm
Large Botnet
Email virus
SQL injection
XSS virus
Cloud attack
Cyber weapon
Malnet
The 1980s threats are still challenges today, but attackers’ sophistication is increasing
APT
War dialling
Digit grabbers
Man-in-middle
Threat actors
• Hackers• Malware developers• Anarchists• Negligent employees• Spies• Fraudsters and organised criminals• Plus many others…
Cybercrime is evolving
From one-to-one
Through one-to-many
To many-to-one
Plus hybrid, multi-stage attacks
Attacker exfiltrates empty directories
Victim removes data from known compromised systems
Victim removes malware
Case study: attack timeline
Day 1
Day 32
Day 34
Day 37
Day 38
Day 39
Day 41
Attacker installs malware on target machines & creates backdoor
Attacker installs new malware via backdoor
Attacker pushes Day 1 malware to new systems
Attacker pushes Day 34 malware to new systems
Source: Mandiant
Malware is a key vector
Attacker InfectedWebsite
User
User action required
Automatically
1980 1985 1990 1995 2000 2005 2010
PC viruses
Key-loggers
Worm
Rootkits
MSDOS virus
Spy ware
Phishing
DoS
DDoS
Spam
Session hijack
SQL Worm
Large Botnet
Email virus
SQL injection
XSS virus
Man-in-middle
Cyber weapon
APT
War dialling
Digit grabbers
Cloud attack
Malnet
Selected examples
1980 1985 1990 1995 2000 2005 2010
Rootkits
Rootkits
PC viruses
Key-loggers
Worm
MSDOS virus
Spy ware
Phishing
DoS
DDoS
Spam
Session hijack
SQL Worm
Large Botnet
Email virus
SQL injection
XSS virus
Cloud attack
Cyber weapon
Malnet
APT
War dialling
Digit grabbers
Man-in-middle
Rootkits
Applications (Word, Outlook, Explorer,
games etc.)
Data (Docs, contacts, saved game files...)
Operating System (Windows, Mac OS...) Rootkits attack the lowest
level of the operating system so that they execute on start up and avoid detection.
DOGMA Millions Rootkit
• Offers payment to partners who download their App.
• Similar model to Google toolbar etc.
• Then offers crime-as-a-service. User User User User User User
$$
$
dogmamillions.com
1980 1985 1990 1995 2000 2005 2010
Spyware
PC viruses
Key-loggers
Worm
Rootkit
MSDOS virus
Spy ware
Phishing
DoS
DDoS
Spam
Session hijack
SQL Worm
Large Botnet
Email virus
SQL injection
XSS virus
Cloud attack
Cyber weapon
Malnet
APT
War dialling
Digit grabbers
Man-in-middle
Spyware
• Sits on infected device and captures:– Passwords and usernames– Visited URLs– Keystrokes– Credit card and bank details– Other personal data
• May also change device settings• Can turn off Firewall and Anti-virus
Keylogger software
http://www.relytec.com/
This particular Keylogger needs to be installed directly on the target machine
Pwn Plug hacking tool
• Network hacking toolkit
• With inbuilt WiFi• Remote command and
control
Would your users or security staff remove this if they saw it?
1980 1985 1990 1995 2000 2005 2010
DDoS
PC viruses
Key-loggers
Worm
Rootkit
MSDOS virus
DDoS
Phishing
Spyware
DoS
Spam
Session hijack
SQL Worm
Large Botnet
Email virus
SQL injection
XSS virus
Cloud attack
Cyber weapon
Malnet
APT
War dialling
Digit grabbers
Man-in-middle
Flooding example
2. Targeteddevice responds & assigns capacity to deal with the expected traffic
SYN PacketSYN-ACK PacketFinal ACK Packet
X3. Final ACK Packetis not sent and process is repeated in high volume, flooding the target with incomplete requests.
1. Attacker sends communication requests
1
2
3
Distributed denial of serviceBo
tnet
‘Her
der’
or A
gita
tor
Infected network of ‘Bot’ machines or volunteers
Target(s)
Command & Control
Multiple attacks
1
3
2
The Low Orbit Ion Cannon
The Low Orbit Ion Cannon is an open source application designed to launch what is known as a denial of service attack. It does this by flooding a target server with messages.
The Met Police report 34,000 UK downloads in only 3 days during the 2012 attacks on the US financial services sector and videos can be found on YouTube that provide lessons in how to use the tool.
1980 1985 1990 1995 2000 2005 2010
The 1980s threats are still challenges today, but attackers’ sophistication is increasing
Code Injection
PC viruses
Key-loggers
Worm
Rootkit
MSDOS virus
Spy ware
Phishing
DoS
DDoS
Spam
Session hijack
SQL Worm
Large Botnet
Email virus
SQL injection
XSS virus
Cloud attack
Cyber weapon
Malnet
APT
War dialling
Digit grabbers
Man-in-middle
Injection - extraction
Attacker
Vulnerable Web server exploited
Insecure web form(e.g.) SQL Commands injected via the form
Password or PCI databases compromised
SQL Commands
Stolen data extracted
1 2
3
4
5
Code injection example
• Over several months in early 2011 hackers:– executed a series of successful SQL Code Injection
attacks against the servers of Sony Online Entertainment (SOE)
– reportedly exposed the personal data of 100m SOE customers
– Cost SOE $178 million in the process (mainly lost business through downtime)
1980 1985 1990 1995 2000 2005 2010
The 1980s threats are still challenges today, but attackers’ sophistication is increasing
Man-in-the-Middle
PC viruses
Key-loggers
Worm
Rootkit
MSDOS virus
Spy ware
Phishing
DoS
DDoS
Spam
Session hijack
SQL Worm
Large Botnet
Email virus
SQL injection
XSS virus
Cloud attack
Cyber weapon
Malnet
APT
War dialling
Digit grabbers
Man-in-middle
Definition1
You Me
2
John manages to convince you
that he is actually me…
He also convinces me
that he is actually you.You Me
John
Definition1
You Me
2
You Me
John
3
You now innocently send your message to John, thinking he
is me.
John takes a copy or alters the
message and then sends it on to me. John is
the man-in-the-middle.
You Me
John
Man-in-the-Middlehttp://hakshop.myshopify.com/products/wifi-pineapple
The equipment to attack Wireless (WiFi) networks can be purchased online
1980 1985 1990 1995 2000 2005 2010
The 1980s threats are still challenges today, but attackers’ sophistication is increasing
Cyber Weapons
PC viruses
Key-loggers
Worm
Rootkit
MSDOS virus
Spy ware
Phishing
DoS
DDoS
Spam
Session hijack
SQL Worm
Large Botnet
Email virus
SQL injection
XSS virus
Cloud attack
Cyber weapon
Malnet
APT
War dialling
Digit grabbers
Man-in-middle
Cyber weapon examples
• Flame & Stuxnet:– Adapted to attack Iran’s nuclear programme– Flame designed to collect target data– Stuxnet designed to attack SCADA systems
• Shamoon (2012)– Attacked PCs on Saudi Aramco network– 30,000 PCs had to be written off
• The Low Orbit Ion Cannon…
Drop, Report & Wipe
1. The malware is dropped onto the target machine2. The malware executes its payload and the extracted data is sent to the attacker3. The eventually wipes itself off the machine, hiding the evidence of its activities
Wipe (may persist for an extended period before wiping)
Report
1
3
2
Drop
Common APT vectors• Advanced Persistent Threats:
– Internet-based malware infection– Physical malware infection– External exploitation/hacking
Internet Malware Infections• Drive-by downloads• Email attachments• File sharing• Pirated software• DNS routing mods
Physical Malware Infections• Infected USB sticks• Infected DVDs or CDs• Infected memory cards• Infected appliances• Back-doored IT equipment
External exploitation• Professional hacking• Co-location host exploits• Cloud provider penetration• WiFi penetration• Device attacks
Trusted connections
Insider Threats• Rogue employee• Malicious sub-contractor• Social engineering• Funded placement• Criminal break-in• Walk in
Trusted connections• Stolen VPN credentials• Partner system breaches• External hosting breaches• Grey market equipment
1980 1985 1990 1995 2000 2005 2010
The 1980s threats are still challenges today, but attackers’ sophistication is increasing
Malnets
PC viruses
Key-loggers
Worm
Rootkit
MSDOS virus
Spy ware
Phishing
DoS
DDoS
Spam
Session hijack
SQL Worm
Large Botnet
Email virus
SQL injection
XSS virus
Cloud attack
Cyber weapon
Malnet
APT
War dialling
Digit grabbers
Man-in-middle
Simple Malnet
Maliciousserver
Infected site
Innocent users
Innocent users
Innocent user
Innocent users
Infected site
Infected site
Infected site
Real Malnets
A Malnet is comprised of unique domains, servers and websites working together to funnel users to the Malware payload.
This visual map, produced by Blue Coat, shows the relationships between trusted sites, relays and exploit servers to which users are directed.
The Blackhole Exploit Kit
• Currently the most prevalent web threat (Q3 2012
• 28% of all web threats detected by Sophos and 91% by AVG are due to Blackhole
• Delivers a malicious payload to a victim's computer
• Suspected creators are Russian hackers named "HodLuM" and "Paunch"
How Blackhole works
• Attacker buys the kit & specifies the attack options.• Victim:
– Loads a compromised web page or;– Opens a malicious link in a spammed email
• Malformed page or email sends user to a Blackhole landing page.
• Landing page contains code that determines what is on the victim's computers and loads all exploits to which it is vulnerable.
Key implications for Firms
• Data integrity and compliance:– Data protection– PCI– Corporate data
• Fraud & other financial risks• Reputation & public trust• Legal liability• Operational sustainability
Key controls
• The perimeter:– Firewalls– Intrusion detection– Antivirus
• Cloud and Social Media security• Device security and BYOD management• Data classification & encryption• User awareness
Conclusion
Threat factors
Threat agents
Vulnerabilities
Controls
Risks Assets
User awareness is the most important governing factor at all points in the chain of cause and effect.
Q&A
www.trmg.biz
The CISI would like to thank
Mark Johnson, Chairman, The Risk Management Group
Enjoy this event? Then why not attend one of our short courses
Building a Client-Focussed Professional Service for the New World London 29 January 2013
Anti Money Laundering & Terrorist Financing Introductory WorkshopLondon 31 January 2013
Manchester 5 February 2013
www.cisi.org/courses
