Embed Size (px)
Citation preview
Top Hotel Scams and The Human Vulnerability
Chris Pogue, MSIT, CISSP, CEH, CREA, GCFA, QSA
Nuix Chief Information Security Officer
COPYRIGHT NUIX 2015
2 28 June, 2016
> whoami
Chris Pogue
• Master’s Degree in Information Security • 18 years experience (US Army Signal Corps Warrant Officer, US Secret Service
Instructor, National Computer Forensics Institute Instructor, Incident Responder, Delivery Director)
• Published Author • Unix and Linux Forensic Analysis – Syngress • Data Breach Response and Investigations - Elsevier • More than 50 interviews and bylines in international media outlets
• 2010 recipient of the SANS Thought Leader Award • CISSP, CEH, CREA, GCFA, QSA • Speaker at more than 75 conferences over the past five years • Creator of the Sniper Forensics methodology • Expert witness • Cybersecurity Adjuct Professor at Southern Utah University
June 28, 2016
Copyright Nuix 2016 3
“Behind every successful fortune, there is a crime.” - Mario Puzo, The Godfather
Copyright Nuix 2015 4 28 June 2016
• Loosely organized, yet extremely effective – Compartmentalized groups – Global communication
capabilities – Craigslist-style advertisement
• Forum-based – Never met, yet trust each
other with millions – Largely Russian speaking – Actors are vetted by at least
two referrals and around US$1,000
• No longer using open channels – Makes monitoring much more
difficult for law enforcement – Isolated, independently
maintained systems – If these go away, it’s all
HUMINT
Criminal Activity
4
Copyright Nuix 2015 5 28 June 2016
• Street gang involvement – Purchasing stolen cards
via forums • Fraudulent purchases • Fencing purchased items • Chargebacks (usually
requires a collusive merchant or cashier)
– Use stolen gift cards or hotel room keys
– Much safer – No tweakers – More comfortable – No mandatory sentencing
• Facilitate other crimes – Violent crimes – Human, weapon and sex
trafficking – Support terrorism
Criminal Activity
5
Copyright Nuix 2015 6 28 June 2016
• Increase in attack complexity?* – Still missing the basics of ‘IT hygiene’ – Adapting to stringent security controls and improved security
technologies • Leverage arrogance • If you know about it, they know about it (the fatal flaw in compliance) • Global coordination • Motivations
– Geopolitical – Philosophical – Retaliation – Financial gain – Opportunity
Criminal Activity
* Hackers are lazy. They are only going to try as hard as they have to.
Copyright Nuix 2015 7 28 June 2016
Criminal Activity
7
June 28, 2016
Copyright Nuix 2016 8
Criminal Activity
• Hotels remain a primary target for carders • Low risk, high reward • Attribution, apprehension, and prosecution • IT Hygiene continues to be a scourge • Not the core competency of the target • Usually little ability to detect a breach • Post breach landscape
How do we solve this dastardly problem???
June 28, 2016
Copyright Nuix 2016 9
Agenda
The Cerebral Vulnerability
The Infiltration Causation
Alternative Perspectives
The Cognitive Clash
A Summation of the Psyche Questions
The Cerebral Vulnerability
June 28, 2016 Copyright Nuix 2016 11
The Cerebral Vulnerability
June 28, 2016
Copyright Nuix 2016 12
The Cerebral Vulnerability
• A cognitive bias is a genuine deficiency or limitation in our brain's ability to process information sufficient for us to make conscientious decisions.
• Some social psychologists believe our cognitive biases help us process information more efficiently, especially in dangerous situations. Still, they lead us to sometimes make grave mistakes.
<Fade in picture of a brain and juxtapose with a computer>
The Infiltration Causation
June 28, 2016
Copyright Nuix 2016 14
The Infiltration Causation
“An incident in which an individual name plus a Social Security number, driver’s license number, medical record or financial record (credit/debit cards included) is
potentially put at risk because of exposure.”
“An event in which an individual’s name plus a medical record and/or a financial record or debit card is potentially put at risk—either in electronic or paper format.”
June 28, 2016 Copyright Nuix 2016 15
The Infiltration Causation
47% 25% 72% 28% ?
June 28, 2016
Copyright Nuix 2016 16
The Infiltration Causation
System glitches?
<insert some sort of system glitch picture? Maybe a glitch from the Matrix>
Internalization <insert pictures of a happy people celebrating> Externalizing blame <insert pictures of angry people pointing>
Internalization?
Externalizing blame?
June 28, 2016
Copyright Nuix 2016 17
The Infiltration Causation
• Technology is rarely the cause of data breaches • One-hundred percent of:
• Hackers • Insider threats
• Malicious • Non-malicious
• IT personnel • Business personnel …are human beings
• Therefore, 100% of data breaches are the result of human activity
June 28, 2016
Copyright Nuix 2016 18
The Infiltration Causation
• A cognitive bias refers to a systematic pattern of deviation from norm or rationality in judgment, whereby inferences about other people and situations may be drawn in an illogical fashion. Individuals create their own "subjective social reality" from their perception of the input.
• An individual's construction of social reality, not the objective input, may dictate their behavior in the social world. Thus, cognitive biases may sometimes lead to perceptual distortion, inaccurate judgment, illogical interpretation, or what is broadly called irrationality.
June 28, 2016
Copyright Nuix 2016 19
The Infiltration Causation
External driver • Have not yet been breached
Perception • It’s not going to happen to me
Manifestation • Don’t properly test countermeasures
Cognitive biases • Normalcy bias: The refusal to plan for, or react to, a disaster
which has never happened before • Neglect of probability: The tendency to completely disregard
probability when making a decision under uncertainty
June 28, 2016
Copyright Nuix 2016 20
The Infiltration Causation
External driver • Others are breached
Perception • Bad things happen to other people, not me
Manifestation • Failure to prioritize security and plan for a breach
Cognitive biases • Optimism bias: The tendency to be overoptimistic, overestimating
favorable and pleasing outcomes • Ostrich effect: “If I can't see it, it doesn't exist”
June 28, 2016
Copyright Nuix 2016 21
The Infiltration Causation
External driver • Industry experience
Perception • I have been doing this for years—don’t tell me how to do my job!
Manifestation • Lack of realistic understanding of the threat landscape • Focus on non-impactful issues
Cognitive biases • Curse of knowledge: When better-informed people find it
extremely difficult to think about problems from the perspective of lesser-informed people
• Parkinson’s Law of Triviality: The tendency to give disproportionate weight to trivial issues
June 28, 2016
Copyright Nuix 2016 22
The Infiltration Causation
• Data breaches are usually framed as technical failures as opposed to human failures
• Evidenced by the myriad of checklists used in information governance and compliance
• Contain security controls • Do not contain any notion of strategy, decision making, or
staffing • Therefore, solutions are usually framed in the same way:
technical solutions to solve a technical problem
Alternative Perspectives
June 28, 2016
Copyright Nuix 2016 24
Alternative Perspectives
HW Heinrich’s Theories of Accident Causation and Prevention proposed that:
• Eighty-eight percent of workplace accidents were caused by unsafe acts
• Ten percent of workplace accidents were the result of unsafe equipment or conditions
• Two percent were unavoidable
June 28, 2016
Copyright Nuix 2016 25
Alternative Perspectives
1. Lack of technical knowledge 2. Failure to utilize the system
as it was intended 3. Failure to properly utilize
prevention mechanisms 4. Failure to follow standard
operating procedures 5. Failure to implement
appropriate configuration settings
6. Failure to establish a proper defensive posture
7. Interaction with critical computing assets
8. Failure to adequately comprehend the threat landscape
9. Failure to implement proper security control mechanisms
June 28, 2016
Copyright Nuix 2016 26
Alternative Perspectives
June 28, 2016
Copyright Nuix 2016 27
Alternative Perspectives
98%
The Cognitive Clash
June 28, 2016
Copyright Nuix 2016 29
The Cognitive Clash
“Insanity: Doing the same thing over and over again and expecting different results.”
June 28, 2016
Copyright Nuix 2016 30
The Cognitive Clash
June 28, 2016
Copyright Nuix 2016 31
The Cognitive Clash – The Battle Plan
1. Admit 2. Identify 3. Automate 4. Learn 5. Hire
June 28, 2016
Copyright Nuix 2016 32
The Cognitive Clash – The Action Plan
1. Realize there is a problem, and that we are going to do something about it
2. Garner/provide top down support 3. Identify cognitive biases, and implement a mechanism to
overcome them 4. Understand that there is and ROI for security 5. Understand that GRC regimes are a part of the solution, not
the entirety of it 6. Look for wisdom in other areas 7. Institute a “train as you fight” security philosophy 8. Create a culture of security minded employees 9. Realize security is a journey, not a destination 10.The marriage of human intelligence and technology is the
key to success
June 28, 2016
Copyright Nuix 2016 33
The Cognitive Clash – The Escalation of Commitment and Conservatism Bias
1. Escalation of Commitment - the pattern of behavior in which humans continue to rationalize their decisions and behavior, even when they cause clearly negative outcomes, rather than alter their course.
2. Conservatism Bias - the tendency for humans to insufficiently revise their beliefs even when they are presented with compelling new evidence.
3. Humans do not like to admit fault for anything
June 28, 2016
Copyright Nuix 2016 34
The Cognitive Clash – The Escalation of Commitment and Conservatism Bias
Are we mentally and emotionally mature enough to push beyond our cerebral programming and alter our destiny?
A Summation of the Psyche
June 28, 2016
Copyright Nuix 2016 36
A Summation of the Psyche
Questions?
June 28, 2016
Copyright Nuix 2016 38
Special Thanks
Chris Wright, Ph.D. President/CEO Reliant Talent Management Solutions Rob Caillet EHS & Security Manager GE Manufacturing Solutions Colin McIff Health Attaché to the US Mission to the UN in Geneva World Heath Organization BG Allen Principal BG Allen Consulting
June 28, 2016
Copyright Nuix 2016 39
References
• BakerHostetler, Data Security Incident Response Report 2015, May 2015 • Michael Carroll, “Part Human, Part Machine, Cyborgs Are Becoming a Reality”, Newsweek, July
2014 • George Dvorsky, “The 12 cognitive biases that prevent you from being rational”, io9, September
2013 • Experian, 2015 Second Annual Data Breach Industry Forecast October 2015 • Sydney Finkelstein, “Why Smart People Make Bad Decisions”, Harvard Business Review,
February 2009 • FireEye Threat Intelligence Reports • Herbert William Heinrich, Industrial Accident Prevention: A Scientific Approach, McGraw-Hill, 1931 • F. Heylighen, “Occam's Razor”, Principa Cybernetica, September 1995 • Identity Theft Resource Center, 2015 Data Breaches, January 2016 • Ari Kaplan Advisors, Defending Data: Turning Cybersecurity Inside Out With Corporate
Leadership Perspectives on Reshaping Our Information Protection Practices, December 2015, • Hans Moravec, ROBOT: Mere Machine to Transcendent Mind, Oxford University Press, October
1998 • Frank Pennachio, “Going beyond the Limits: A 10-Year Study Conducted by DuPont Found That
96 Percent of Accidents at the Company Were the Result of Unsafe Actions by Employees Going beyond Their Limits, Rather Than Unsafe Conditions”, Occupational Hazards, September 2008
• Ponemon Institute, 2015 Cost of Data Breach Study, May 2015 • Verizon 2015 Data Breach Investigations Report, July 2015, • World Health Organization, Report of the Ebola Interim Assessment Panel, July 2015
