Embed Size (px)
Citation preview
8/13/2019
1
AbacusTechnologies.com
Secure, Empower, Protect: Preventing attacks and breaches
Agenda
• What are the threats to my organization?• Who is responsible for attacks and why?• Statistics, Cybersecurity by the numbers• What can my organization do?• A Cautionary Tale
8/13/2019
2
Why are Governments and Municipalities a target of Cyberattacks?
It’s increasingly difficult to hide city ransomware infections, particularly given that responding to them often requires funds from municipal coffers.
Cities are getting deeper and deeper into IP‐based activities to deliver services as efficiently as possible, giving attackers more opportunity to engage in malicious behavior.
State and local governments offer a wealth of information about citizen activity. Permits, parking tickets, water bills and credit card information
Face financial constraints that limit just how much they can spend on protecting themselves from breaches, malware infections and other kinds of attacks.
Struggle to keep pace with technology refresh cycles, which are growing shorter each year. Today the typical refresh cycle is about 18 months and most cities aren't ready for it. Citizens also don’t like interruptions is services.
What are the threats?
Data Breach
Financial Fraud
Malicious Software Installation
8/13/2019
3
What are the threats?
Data Breach• Stolen credentials, Malware• Access online or on‐premise systems• Conduct additional attacks or fraud• Information sold on Dark Web• Payroll Data, Citizen data• Credit Card / Payment information
Nearly 446 million records exposed in 2018 across 1,244 data breaches. Motivated by financial gain, avg time on target 176 days
Personal Data For Sale
What are the threats?
Malicious Software Installation• Ransomware /Malware• Denial or destruction of Systems• Exfiltration of Data
8/13/2019
4
What are the threats?
Malicious Software Installation
Affiliate Network
Vertical Integration Managed Service
$300‐$800 USD per machine
2x to 10x multiple being added to ransom demands for tardiness.
BJ1
What are the threats?
Malicious Software Installation
BJ1
Slide 7
BJ1 Brian Jackson, 8/9/2019
Slide 8
BJ1 Brian Jackson, 8/9/2019
8/13/2019
5
What are the threats?
Financial Fraud• Wire Diversion or Intercepts• Vendor Payment Fraud• Steal Data (Clients / Internal)• ACH / Checks / Credit Card
Phishing/Spear Phishing
Phone calls / Texts to users
Social Engineering Tactics
Vendor Payment Fraud
Impersonation of CEO, CFO
Who is responsible and Why?
Adversaries
InsiderMalicious or benign, an authorized user with access to organization data or information assets
CriminalAn individual or group who uses cyber to commit theft, fraud or other criminal acts.
HacktivistA person or group who uses cyber‐activities to achieve political, social or personal goals.
Nation‐StateGovernment backed actors with training, resources and offensive capabilities
Potential Objectives
Steal
DisruptDestroy
• Gain assets or date• Release data to public• Create a Competitive Advantage• Extort Money
• Destroy assets• Create political advantage• Discredit and harm reputation
• Halt critical services• Interrupt business• Embarrass the company
Confidentiality
Integrity Availability
8/13/2019
6
By the numbers…
57% of leaders feel their organization is More Susceptible to cybersecurity threats than previous years.
59% of malicious email sent were attempts at financial fraud through virus or social engineering
$12.5k per day cost in downtime is the average cost of attack
Companies hit by ransomware every 40 seconds
Your organization is a target.
Attack will likely come by email.
Not prepared, incur significant costs related to recovery and downtime.
$200,000 is the avg. total cost to recover from a cyberattack
72% of Cyber‐attacks are targeted at organizations with fewer than 100 employees
22% of ransomware victims had to fully cease business operations during event.
90% were a targeted and received emails related to Business Email Compromise (BEC)
What can you do?
Secure Your Technology Protect Your Organization
Empower Your Users
8/13/2019
7
Secure Your TechnologyIntroduction of technology increases inherent risk of an attack.
Inventory hardware and software
Secure Configurations
Control administrative access
Keep technology current
Unauthorized software or hardware
Clear picture of what you need to protect
Nothing secure “Out of the box” – no defaults
Standardized deployment of technology
Keys to the kingdomSeparate administrative accounts, limit use, MFA
Exploit vulnerabilities Current, supported and regularly updated. Plan.
Secure Your TechnologyConsider the following
WannaCry Ransomware
MS17‐010: Security update for Windows SMB Server: March 14, 2017
Remote code execution vulnerabilities exist in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerabilities could gain the ability to execute code on the target server.
Email, file share and sync, Office applications
Microsoft’s Responsibility• Infrastructure• Supporting Technology• Physical, Logical, Application Security• Data Processing and Controls
YOUR Responsibility• Data level security – deletion, malicious
employees, employee retaliation• Data level security – Ransomware, Malware,
Account Compromise
Microsoft provides a 30‐60‐90 day security action plan, but YOU must properly configure and implement these controls.
Millions of machines remain vulnerable
8/13/2019
8
Empower Your UsersPeople are not the weakest link, they are the primary attack vector
Employees introduce risk Manage Human Risk Change Human Behavior
Phishing / Social EngineeringEducation and Awareness
Recognize and report potential threat
Authentication Secure but easy to
manageIndividual responsibility
LT Sustainment and Culture Perception of SecurityCulture of Security within
the organization
Help prevent Phishing Attacks…
Be cautious of emails that ask you to open a file or enter information into an online form.
Be skeptical of any unexpected emails that prompt you for your login information.
Sophisticated phishing attempts will appear to come from people you trust. If an email seems suspicious, call or email the sender directly.
Pick up the phone and call the individual –using the company directory or vendor information Another option is to have another associate create a new email from another PC to validate the instruction
8/13/2019
9
The HackOffice 365 Email Account Compromised via Phishing Attack
Actions of Malicious Actor:Wire Transfer Request ProcessMallory > John H. > Oakworth‐ Created email rules in Outlook to filter
out any email conversations from ABC, Oakworth Capital
‐ Registered the Domain acbpay.com‐ Created email account
Perpetuate the Fraudulent Wire Transfer Request‐ Email from Mallory to
[email protected]‐ Email from [email protected] to
Oakworth approving the Wire Transfer‐ EXACT Copy of Wire Transfer Form
taken from Mallory mailbox content
Why it didn’t Work‐ Oakworth Capital called to verify the Wire
Transfer Request for $45,000
Required Actions‐ Notified the Client from which the phishing
email was sent‐ Reset Office 365 Passwords
Empower Your Users
Phishing Email from a Client Contact Landing Page for Harvesting CredentialsLanding Page for Harvesting Credentials
Anatomy of a Phishing (BEC) Attack
Empower Your UsersSocial Engineering with Public Wi‐Fi
Hackers can also use an unsecured Wi‐Fi connection to distribute malware. Having infected software on your computers and devices can be financially crippling to your business.
Snooping and sniffing. Another publicWi‐Fi risk is hackers using special software kits enabling them to eavesdrop on Wi‐Fi signals.
Configure Evil Twin AP / Disassociation Attack / Man in the Middle (Renaissance_CONFERNCE)
…..or maybe
Karma attack – steal SSIDs of previously‐associated networks
8/13/2019
10
Protect Your Organization
Lack resources for a robust security plan
Prioritize and ExecuteImplement safeguards
based on risk
Backup/System Recovery Plan
Develop, Implement, Test
Mitigate the impact of Ransomware, Malware
Recognize Cyber‐attacks are the new norm
Assessment to identify gaps in security
Create a baseline and strategy for security
Costs of a Cyber‐attack can be significant
Mitigate risks through Cyber insurance
Alleviate costs of recovery, notification,
legal fees
Luck favors the prepared, not a a matter of if but when.“67 percent of these municipalities lack a written cybersecurity risk management plan”
Anatomy of an attackRecon DNSDumpster.
Local IP for Corporate Office
Public IP for WordPress Intranet
Using publicly available information I was able to determine the external network attack surface. Additionally, I know Office 365 is the email platform and your likely using Azure AD services.
Full External IP Block for CorporateOffice
Recon MXToolbox.com
Data doesn’t need to be secret to be valuable.
8/13/2019
11
Anatomy of an attackRecon Emails for Phishing Attack
SET – Social Engineering Toolkit
LinkedIn Enumeration Tool
theHarvester
Using publicly available information and free tools I have emails, titles, and even pictures of potential targets.
• Business Social Media Posts• Personal Social Media Posts• Recent News• Association / Events / Memberships
Future: Prevention and Defense
Active Defense and Countermeasures
Defense in Depth
Traditional, Reactive, Ineffective and generally poorly implemented
Paradigm Shift: Take the fight to the enemy
Annoyance and Attribution• False Responses, Tripwires• Swamp the scanner• Honeypots, PortSpoofs
Attack the attacker• Traps that trigger
counterattacks• Offense informs Defense• attribution (who, what, where)• Counter ‐‐ needs balance don’t
be evil!
8/13/2019
12
Future: Regulation and Compliance
Alabama Insurance Data Security Law (Act 2019‐98)(“Law”), which imposes a comprehensive set of data security requirements on persons and entities licensed by the Department of Insurance.
The FTC announced in March that it was seeking proposed changes to the Gramm‐Leach‐Bliley Act’s Safeguards Rule as well as the Privacy Rule. Expand the definition of a “Financial Institution” and impose stricter requirements on security within these organizations.
The Cybersecurity Conversation• Banking transactions• Government contracts• General contracts for service• Insurance• Vendor Management program requirements
Breach Notification Laws enacted in all 50 states
A Cautionary Tale
Summary:Abacus Technologies was engaged to provide an objective Technology Risk Assessment, details have be redacted for privacy and security purposes.
True Story, actual events which happened in 2017‐2018.
8/13/2019
13
A Cautionary Tale
• 17 different accounts were members of highly privileged roles on the network.
• Local Administrative Accounts active on all System servers. No password policy
• 5 Domain Admin/Enterprise Admin accounts were no longer being used, leftover from a previous vendor.
• Built‐In accounts were enabled.
61 Domain User Accounts had not been used in the past 30 days. Former employees? Temporary Accounts?
Controlling use of Administrative Privileges
The misuse of administrative privileges is a primary method for attackers to spread inside
a target enterprise.
A Cautionary Tale
• No Management, Monitoring, or regular testing of backups.
• No offsite backup of systems or data. Local backup was connected to the network.
• Not all server systems were included in the backup set.
• No plan in place to for Recovery or Business Continuity.
Data RecoveryThe processes and tools used to properly back up critical information with a proven methodology
for timely recovery of it.
8/13/2019
14
A Cautionary Tale
• Multiple Window Server Systems missing Critical Security Updates.
• VMWare ESXI Hosts were several versions behind. • EOL / End of Support for several installed
applications.• Anti‐Virus / Anti‐Malware inconsistently applied
across servers and workstations
Continuous Vulnerability ManagementContinuously acquire, assess, and take action on new
information in order to identifyvulnerabilities, remediate, and minimize the window of
opportunity for attackers.
A Cautionary Tale
Provided a Summary of Findings and Recommendations
Provided Summary Action Plan
8/13/2019
15
A Cautionary Tale
Six months following the delivery of the report they were hacked by Nation‐State Actors• Intrusion via Firewall or
Phishing email• All server systems were
encrypted, include their onsite backups
• Decided to pay the ransom, encryption keys delivered but did not work. ($12K)
• All services were halted for more than two weeks following the hack.
• Manually processing payroll for their employees.
• Writing paper/manual checks for Accounts Payable.
• Re‐constructing Accounting transactions from paper files to complete annual audit
• Most data was finally recovered through backups
• Still recovering almost six months after the attack.
Conclusion
“There are two types of companies, those that have been hacked and those that will be”. ‐‐‐Former FBI Director
• Put cybersecurity on the agenda before it becomes the agenda
• Create a culture of Security within our own organizations
• Assess risks in your organization, create a roadmap to close gaps and get started.
• Secure your Technology, Empower your Users, and Protect your Business
8/13/2019
16
Brian Jackson, COO and President205‐443‐5915 / 205‐587‐5543
Our goal is to provide exceptional customer experience and bring peace of mind to our clients.
We continue to build upon our ability to combine experience with up‐to‐date knowledge of technology strategies and best practices. Our aim is providing reliable and cost‐effective solutions for business needs.
• Managed Technology Solutions• Systems Engineering / Infrastructure / Consulting• Business Continuity / Recovery Solutions• Carrier and Telecom Solutions• Cybersecurity
Brian Jackson, COO and President205‐443‐5915 / 205‐587‐5543
Q&A
