Upload
eliana-allen
View
37
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Under the Black Hat. Daniel Nelson, C | EH, CIPP/US. August 27, 2014. How Bad is the Hacking Threat?. “Hackers” write sophisticated computer code to invade computer networks Hackers do this to target personal information which is then used for identity theft - PowerPoint PPT Presentation
Citation preview
© 2013 Armstrong Teasdale LLP
© 2013 Armstrong Teasdale LLP
Under the Black Hat
Daniel Nelson, C|EH, CIPP/US
August 27, 2014
© 2013 Armstrong Teasdale LLP
How Bad is the Hacking Threat? “Hackers” write sophisticated computer code to
invade computer networks
Hackers do this to target personal information
which is then used for identity theft
“Hacking” is the digital equivalent of robbing a
bank: hackers break into a system, rob it, and
make their get-away
Hacking leaves digital fingerprints that can be
traced back to catch the thief
© 2013 Armstrong Teasdale LLP
Who’s The Hacker
Adrian Lamo
Kevin Poulsen
Mercedes Haefer
John “Captain Crunch” Draper
Robert Morris
Berkley Blue & Oaf Tobark
© 2013 Armstrong Teasdale LLP
They Hack for Profit
Sometimes, but:Revenge Information“A Cause”Street CredBoredom“Because It’s There”
© 2013 Armstrong Teasdale LLP
They Are After Our Personal Information Says who?
--Brian Krebs, KrebsonSecurity.com
© 2013 Armstrong Teasdale LLP
Tools such as:
John the Ripper (Password Cracking) Angry IP Scanner (Scanning) THC Hydra (Password Cracking) Cain & Abel (Anything you can imagine on a
Windows System) Burp-Suite (Web Apps) Social Engineering Toolkit (“SET”) Wire Shark (packet sniffer)
One of the biggest challenges is to choose from among a plethora of tools
© 2013 Armstrong Teasdale LLP
Nessus
How Bad for You/Good for Me
Vulnerability Name: So I Can Find It Easily
© 2013 Armstrong Teasdale LLP
Trespassing At Will?....Priceless
Kali Linux……………………The Included Tools…………Nessus……………………….
FREEFREEFREE
© 2013 Armstrong Teasdale LLP
Pre-hack Reconnaissance on Target:• System configurations• Usernames• Passwords• Email Addresses• Reporting Relationships
The Answer to Any “How Do I” Question You Could Ever Ask
© 2013 Armstrong Teasdale LLP
YouTube
FUD: Fully Undetectable
Remote Administration Terminal (a Trojan)
© 2013 Armstrong Teasdale LLP
Quick Overview of Hacking
Basic (but still dangerous) hacking
requires access to YouTube and a
willingness to learn
Hackers have many different targets
Good Hackers may lurk in a system for
months
Hacking is extremely difficult to detect
© 2013 Armstrong Teasdale LLP
What Can Be Done
Combat Social Engineering• Understand the Threat• Train
Engage With Security• Understand what “IT” really means• Take Charge
Understand Current Legal Requirements Avoid The Compliance Trap Be Your Own CISO
© 2013 Armstrong Teasdale LLP
Social Engineering
“Hacking the Wetware” The most direct, efficient and effective form
of attack One simple goal: generate an emotional
response Takes Many Forms:
• Phishing/Spearphising• Physical Intrusion• Remote
Odds are strongly in Hacker’s favor
© 2013 Armstrong Teasdale LLP
Phishing/Spearphishing
Phishing: Impersonal “blast” email Spearphishing: Uses personal information
about “sender” or recipient to encourage recipient to trust the email• Vacation plans• Recent promotions• Company events• Hobbies
This information is all too easy to find:
© 2013 Armstrong Teasdale LLP
Physical Intrusion
First Rule of Hacking: If you can touch it, you will own it.
© 2013 Armstrong Teasdale LLP
Social Engineering Countermeasures
Build Awareness•Every Employee is Part of Your Security Plan
Train•Recognize the Common Attack Vectors•Appreciate the Dangers
© 2013 Armstrong Teasdale LLP
Engage With Security
Understanding “IT”• The field is highly specialized
−Network−Desktop−Database−Programming−Website
Security is 10% IT, and 90% Everybody Else• Physical Security• Mobile Device Security• Anti-Phishing
© 2013 Armstrong Teasdale LLP
The Biggest Mistake
Ignoring Counsel’s Essential Role in Data Security
What You Give Up:• Privilege• Participation in decisions when it matters
most• Independent analysis
© 2013 Armstrong Teasdale LLP
Protecting Privilege
Attorney-client privilege can be invoked between the victim company’s outside legal counsel and hired third-party forensic firms that perform a review of the system during a breach. Invoked privilege allows the forensic company to report breach results directly to the law firm.
http://www.secretservice.gov/ECTF_best_practices.pdf
© 2013 Armstrong Teasdale LLP
Being There When It Matters Most Data Security incidents often have legal consequences• Regulators• Insurance coverage issues• Lawsuits
IT won’t be representing the company!
You can be there when decisions are made, or you can be there when the die has been cast.
© 2013 Armstrong Teasdale LLP
Independent Eyes
Why do we have outside auditors? Same principal holds true for data forensics: often outside eyes see more clearly• Independent evaluation of what went
right, and what went wrong• May well be more qualified for forensic
work• Better expert witnesses• Detect the “inside job”
© 2013 Armstrong Teasdale LLP
The Second Biggest Mistake
Failure to have a planData Incidents take many forms, and involve complicated questions that demand real-time answers
Regulators (and underwriters) increasingly looking to whether you had a plan
© 2013 Armstrong Teasdale LLP
What’s the Next Step?
Front Desk Security calls: There are two FBI Agents in the Lobby asking to speak to the head of Information Security.• Do you meet with them?• Do you allow them access to your network?• What is your company’s policy with respect to
cooperation with law enforcement?
© 2013 Armstrong Teasdale LLP
What’s the Next Step (Part II)
Your CEO receives an email containing the private financial information of ten of your customers. The sender informs you that they have all 10,000 such records, and intend to release them unless your company pays a ransom within 12 hours.• What is your company’s policy for this?• Do you involve law enforcement?• What is your media strategy?• Does your cyber policy cover this?• How do you evaluate whether the threat is
real?
© 2013 Armstrong Teasdale LLP
Understand the Legal Requirements
Fast Changing LandscapeThe “Law” Simply Can’t Keep Up
FTC “Common Law” on Security
HIPAAState Data Security LawsLong on Recommendations, but Short on Specifics
© 2013 Armstrong Teasdale LLP
37
Recent FTC Enforcement Actions Cbr Systems, Inc.
• Cbr’s privacy policy promised to handle personal information securely and in accordance with its Privacy Policy and Terms of Service
• After unencrypted data contained on storage media and a laptop were stolen from a Cbr employee’s car, the FTC charged Cbr with deceptive trade practices because Cbr failed to meet its promised security promises. In particular, the FTC focused on Cbr’s failure to employ secure data transport practices, failure to encrypt data, and retention of data for which Cbr no longer had a business need
© 2013 Armstrong Teasdale LLP
Enforcement Actions
TRENDnet
• SecurView cameras for home monitoring
• Software issue allowed anyone with camera's web address to view the live feed
FTC charged:
• Failure to utilize reasonable measures to test security;
• Unencrypted transmission of user credentials, and unencrypted mobile storage of login information.
© 2013 Armstrong Teasdale LLP
39
Massachusetts Data Security Laws Requires “Comprehensive” data security
program that includes:• Designated responsible employee(s)• Identification & assessment of risks• Employee security policies• Oversight of service providers (including
requiring such providers, by contract, to maintain appropriate security measures)
• Encryption of data that will “travel across public networks” or that will be “transmitted wirelessly”
© 2013 Armstrong Teasdale LLP
Encryption Growing body of regulations and
enforcement actions requiring some form of encryption
Encryption may come in many forms:
• Encryption in transmission (e.g. PCI Rules, TSL/SSL, PGP Email)
• File level Encryption
• Full disk Encryption
© 2013 Armstrong Teasdale LLP
The Compliance Trap
Compliance can be Security’s Worst Enemy
“Check the Box” is not the same as “Secure”
Compliance: Do you have a home alarm?
Security: Do you actually turn it on?
© 2013 Armstrong Teasdale LLP
Be Your Own CISO Update & Patch
• Very little “Zero Day” Malware• Significant Amount of Malware is Reverse
Engineered from the Patch Password Security
• Wrc$5oo93=T• Longer is Better• PollyWants1Cracker
Secure Physical Access Change Default Passwords
• Computers/Wireless Access Points• Home Alarms
© 2013 Armstrong Teasdale LLP
43
Questions?
Dan Nelson, C|EH, CIPP/US, Partner314.552.6650 [email protected]
http://twitter.com/DanNelsonEsq www.linkedin.com/in/danielcnelson