Embed Size (px)
Citation preview
Compliance & Controls: A Hacker’s PerspectiveTony Gambacorta, VP of Security Operations at [email protected]
Let’s: (continue to) borrow from healthcareA Hacker’s Perspective
• Ability is fostered by understanding
• No need to quit your day job• Enables positive outcomes
• All of the above, plus…• The stakes are lower• Knowledge makes people harder targets• Who doesn’t want to learn how to hack?
Mr. Robot ClipA Hacker’s Perspective
Signature-Based DefensesA Hacker’s Perspective
Signature-Based Defenses
Vulnerable to novelty, they only catch the low-hanging fruit.
Your EnvironmentDefenses must be
“working” “did work” or “should work” don’t cut it.
Attacker
Attack
Attack
Attack
Attack
Attack
Lessons from Other VerticalsA Hacker’s Perspective
There’s a market: EHRs are worth 10x more than credit card
numbers1
Target diversification is a consequence of the innovation arms race
If you’re in the stolen data business, why wouldn’t you target
healthcare?
(1) http://www.reuters.com/article/2014/09/24/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924
Selection & ExploitationA Hacker’s Perspective
Targeted AttackWhen no one but that special
someone will do...
Opportunistic AttackWhatever falls into the
net, I’m not picky...
Hacking the Brady BunchA Hacker’s Perspective
123456
password
12345
12345678
qwerty
Nope.
Nope.
Nope.
Nope.
Nope.
Nope.
Nope.
Nope.
Nope.
We’re in!
Nope.
Nope.
Nope.
Nope.
Nope.
We’re in!
Nope.
Nope.
Nope.
Nope.
123456789 LOCKED.
Common Passwords
P@ssw0rd! is totally compliant, and in my dictionary. Plan accordingly.
Lessons from the BradysA Hacker’s Perspective
Opportunistic attackers love it when we say:
1.“I don’t have sensitive data, why would they target me?”2.“My password is my dog’s name and the year, how would anyone guess that?”3.“Whatever, I don’t have anything that secret anyway.”
Opportunistic attackers hate it when we use:
•Multifactor authentication•Password vaults•Different passwords on different sites
1
2
Perfect is the enemy of good here. Just being tougher than the average bear helps a lot.
Targeted AttacksA Hacker’s Perspective
The term “Must-have target” or is nothing you want to be on the
business end of.
Introduction to Radio CommunicationA Hacker’s Perspective
Radio station broadcasts on a set frequency of
radiowave
Music is encoded in changes to the carrier
wave
Your radio decodes the changes, you rock out
Assumptions have consequencesA Hacker’s Perspective
Buzzer sends out a signal the door is listening for
SDR reads the spike
Unlocked Door
SDR replays radio wave spike
The “key” is just a simple spike
Practical application: Key fobsA Hacker’s Perspective
Key fob broadcasts a
passcode
Passcodes are rotated to make things interesting
Most cars still listen for the right passcode, not the right
senderNo one wants compliance training, but everyone wants to learn how to hack. Plan accordingly.
Hospital Pager HackA Hacker’s Perspective
SDR Hacker sits outside, passively intercepting radio
signals
Hospital staff assume too much about their pagers
and communicate sensitive information
Intercepted credentials are used to steal corporate,
patient, and employee data
Wrap UpA Hacker’s Perspective
“We’re 100% compliant” is the battle cry of the already hacked.1
Most folks love this stuff- education should never kill curiosity.
2
If we can teach people to save a life, we can teach them this too3
Thank YouCompliance and Controls: A Hacker’s Perspective
