Upload
ngoxuyen
View
220
Download
0
Embed Size (px)
Citation preview
2© Copyright 2014. Computer Services, Inc.
ABOUT ME– 10+ years consulting experience related to InfoSec, risk and compliance
– Past life: network/security administrator
– Training and experience in vulnerability assessment and network penetration
– Hold the following certifications:
• Certified Information Systems Security Professional (CISSP)
• Certified Information Security Manager (CISM)
• Certified in Risk and Information Systems Control (CRISC)
• GIAC Certified Incident Handler (GCIH)
• GIAC Certified Penetration Tester (GPEN)
• GIAC Web Application Penetration Tester (GWAPT)
• EC-Council Certified Ethical Hacker (CEH)
3© Copyright 2014. Computer Services, Inc.
TODAY’S AGENDA
• The Basics
• The Guidance
• The Scenario
• The Process
• Some Defenses
4© Copyright 2014. Computer Services, Inc.
WHAT IS SOCIAL ENGINEERING?
The art of manipulating people into performing actions or
divulging confidential information
6© Copyright 2014. Computer Services, Inc.
CORE METHODS
Phishing BaitingPretexting
• Email• IVR/Phone (Vishing)• SMS Text Messages
(Smishing)
7© Copyright 2014. Computer Services, Inc.
FFIEC• June 6, 2013
Formation of a regulatory working group to improve coordination on critical infrastructure and cybersecurity issues
• October 2, 2013Support of Cybersecurity Awareness Month
• October 7, 2013Microsoft’s discontinuation of support for Windows XP
• April 10, 2014OpenSSL “Heartbleed” Vulnerability
• April 2, 2014Cyber-attacks on ATMs and card authorization systems and the continued DDoS threat
• May 7, 2014Promotes cybersecurity preparedness for CFIs
• June 24, 2014Announcement of cybersecurity web page
• September 26, 2014Bash “ShellShock” Vulnerability
• November 3, 2014Cybersecurity assessment observations
8© Copyright 2014. Computer Services, Inc. 8© Copyright 2014. Computer Services, Inc.
FFIEC GUIDANCE
“Criminals may begin the attack by sending phishing emails to employees of financial institutions as a means to install malicious software (malware) onto the institution’s network.
Once installed, criminals use the malware to monitor the institution’s network to determine how the institution accesses ATM control panels and obtain employee login credentials.”
9© Copyright 2014. Computer Services, Inc.
ONE “SCARY” RECOMMENDATION …The guidance goes on to outline a number of risk management steps that the FFIEC expects financial institutions to take, as appropriate.
One in particular tends to be very scary to many institutions:
• Test incident response plans– “Consider conducting an exercise at the financial institution that simulates this type of attack”
10© Copyright 2014. Computer Services, Inc.
DECISIONS, DECISIONS• Phishing for value – beyond link clicks and statistics
– Why should we “simulate an attack”?
– How far should we take it?
11© Copyright 2014. Computer Services, Inc.
THE BENEFITS
• User Awareness
• Security of End-user Systems
• Defense Technologies
• Incident Response
• Exfiltration Protection
• Ability to Identify Persistence
EVALUATE MEASURE DEMONSTRATE
• Defense Capabilities
– Comparison of Susceptible Users
– Incident Response Times
• Impact
– Employee Paradigms
– Outcomes of an Attack
12© Copyright 2014. Computer Services, Inc.
THE SCENARIO• A determined attacker has set out to infiltrate your organization's
infrastructure.
• After network reconnaissance, the attacker has determined that the best path to the internal network will be through a phishing attack, rather than by trying to "hack" the outside.
13© Copyright 2014. Computer Services, Inc.
THE PROCESS
Reconnaissance
Reconnaissance
Reconnaissance
Reconnaissance
Attack
14© Copyright 2014. Computer Services, Inc.
THE RECON
• Recon, Recon, Recon
• Domain name selection
• Domain name registration
• MX records
• Target validation
• Payload and pretext testing
16© Copyright 2014. Computer Services, Inc.
PHISH STATISTICS
Followed link: 27.3% | Provided creds: 4.5% | Ran the file: 4.5%
Followed link: 23.5% | Provided creds: 17.7% | Ran the file: 11.8%
Followed link: 37.0% | Provided creds: 29.0%
Followed link: 50.0% | Ran the file: 36.0%
Followed link: 73.0% | Provided creds: 60.0%
Followed link: 74.5% | Ran the file: 39.2%
17© Copyright 2014. Computer Services, Inc.
DEFENSES
Intelligence Leakage
Spam/Proxy Filtering
SMTP Configuration
Malicious Code
Prevention
Incident Response
Ingress/ Egress
Filtering
User Awareness &
Training
Data Loss Prevention/ Protection
Patch Management
& System Hardening
18© Copyright 2014. Computer Services, Inc.
SOLUTIONS
VULNERABILITY ASSESSMENT
SOCIAL ENGINEERING
PENETRATION TESTINGINTERNAL \ EXTERNAL
20© Copyright 2014. Computer Services, Inc.
THANK YOU!PLEASE CONTACT ME WITH ANY QUESTIONS
Tyler LeetDirector of Risk and Compliance Services, CSI
(888) 494-8449, ext. 17204