Pwning, Phishing, Clickjacking: Risks to Data Security a Practical Approach

Pwning, Phishing, Clickjacking: Risks to Data Security A Practical Approach

• Understand the Threat • Recent Data Breaches • Anatomy of a Breach • What do we do about it?

"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019 3 2018’s Biggest Data Breaches

• Facebook 87 Million • Marriott 500 Million • Exactis 340 Million • My Heritage 87 Million • Quora 100 Million • Aadhaar 1 Billion

"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019 4 Your Company Data & Customer’s Data Is At Risk

• Companies rely on maintaining the confidentiality, integrity, and availability of data in order to stay in business • Consider, what would happen if: – Your customers’ credit card numbers are stolen? – Your companies’ intellectual property was stolen and sold? – Attackers accessed our networks via engineering systems? – Your company’s networks had to be taken offline? • It is not simply the security department’s responsibility to protect data • Ultimately all of us are responsible for protecting this data

"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019 5 What’s the Vector, Victor?

Influence Install Steal Infiltrate Exfiltrate People Malware Credentials Networks Data

"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019 6 What is Pretexting?

• False narrative to gain information • Social engineering • Impersonating a person or position of authority • Common forms include HR, Purchasing, CEO

"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019 7 What is Phishing?

• An email crafted to influence the receiver to “take the bait” via a mouse click. • A malicious attachment could link to a webpage that asks for credentials • A malicious attachment can install malware • Phishing and pretexting represent 98% of social incidents and 93% of breaches. • Email continues to be the most common vector (96%).

Malwarebytes-Labs-2019-State-of-Malware-Report-1

"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019 8 Breach Case Study: RSA

• RSA breached via social engineering / phishing (4/2011) • End user targeted with e-mail, Excel document “2011 Recruitment Plan.xls” – contained malware that exploited an Adobe Flash vulnerability • The malware, once executed, ran a remote access Trojan based on the Poison Ivy Toolkit • Was not detected by anti-malware software on the end user’s workstation • Later led to breach of encryption keys used in the security of RSA two-factor authentication

"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019 9 Anatomy of an Initial Breach: Phishing

"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019 10 Anatomy of a Breach (2)

Influence Install Steal Infiltrate Exfiltrate People Malware Credentials Networks Data

"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019 11 Sample Attack Tool: Poison Ivy RAT

"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019 12 Sample Attack Framework: Metasploit

"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019 13 Anatomy of a Breach (3)

Influence Install Steal Infiltrate Exfiltrate People Malware Credentials Networks Data

"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019 14 Web-based Attacks

• In addition to email, another common method for gaining initial system access is via web browsers • Attackers will place malicious code on websites, often legitimate ones, and then convince victims to launch the code from the site • These web-based attacks are referred to as watering hole attacks • Be careful when surfing the Internet or using a browser, as unsafe usage can lead to a system’s compromise

"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019 15 Breach Case Study: Facebook

• Internal Facebook workstations compromised (1/2013) • Breach was caused by an insecure version of Oracle Java running on internal workstations • Developers visited a mobile developer website hosting an Oracle Java exploit • Machines were patched & running up to data anti-malware, but were still exploited • No data was reported as compromised in the breach • Believed to be the same exploit that affected Apple and Microsoft in the same time frame

"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019 16 Anatomy of an Initial Breach: Watering Hole Attacks

"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019 17 Sample Attack Tool: Blackhole Exploit Toolkit

"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019 18 Anatomy of a Breach (4)

Influence Install Steal Infiltrate Exfiltrate People Malware Credentials Networks Data

"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019 19 Anatomy of an Lateral Movement

"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019 20 Anatomy of Breach (5)

Influence Install Steal Infiltrate Exfiltrate People Malware Credentials Networks Data

"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019 21 Anatomy of a Data Exfiltration Breach

"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019 22 Transition to Actionable Steps

• Build an Information Assurance Program • Define applicable regulations, standards, and laws • Build a control library • Build a Risk Management Program

"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019 23 Email Security What to do?

• Never click on links in emails • If there is a URL worth visiting, re-type it in a browser • Do not open email attachments unless you expect them • Encrypt all sensitive information in email • Tune network mail filters to block unwanted email • Tune web filters to block access to malicious sites

• In addition to email, another common method for gaining initial system access is via web browsers • Attackers will place malicious code on websites, often legitimate ones, and then convince victims to launch the code from the site • These web-based attacks are referred to as watering hole attacks • You be careful when surfing the Internet or using a browser, as unsafe usage can lead to a system’s compromise

• Therefore, only visit websites you trust, if it smells fishy, it probably is • Remember, even big companies have been known to host malware • Only use your computer for work related activities • If a website asks to run a script (program) do not click OK • If your browser warns you that a site is not safe, do not click OK • If a pop up tries to scare you and click something, do not click OK • If you aren’t sure if a site is safe, ask someone • Remember, second to phishing, watering hole attacks are one of the most common ways attackers find their way into an organization

"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019 26 Enter the CIS Critical Security Controls

• A realistic solution for defending against cyber security attacks • It defines specific defenses against known cyber attacks

• Created and maintained by a volunteer army and the Center for Internet Security • Defined controls are not always easy, but they give organizations the opportunity to prevent and detect attacks

US Contributors Include: International Contributors Include:

• Department of Homeland Security (DHS) • UK Government Communications • National Security Agency (NSA) Headquarters (GCHQ) • Department of Energy (DoE) Laboratories • UK Centre for the Protection of National • Department of State (DoS) Infrastructure (CPNI) • Australian Defence Signals Directorate • US-CERT and other incident response teams (DSD) • DoD Cyber Crime Center (DC3) • Japanese Security Researchers • The Federal Reserve • Scandinavian Security Researchers • The SANS Institute • GCC Security Researchers • Civilian penetration testers • Turkish Security Researchers • Numerous other Federal CIOs and CISOs • Canadian Security Researchers • Hundreds of other private sector researchers • Many other international researchers

1. Inventory and Control of Hardware Assets 11. Secure Configuration for Network Devices, 2. Inventory and Control of Software Assets such as Firewalls, Routers and Switches 3. Continuous Vulnerability Management 12. Boundary Defense 4. Controlled Use of Administrative Privileges 13. Data Protection 5. Secure Configuration for Hardware and Software on 14. Controlled Access Based on the Need to Know Mobile Devices, Laptops, Workstations and Servers 15. Wireless Access Control 6. Maintenance, Monitoring and Analysis of Audit Logs 16. Account Monitoring and Control 7. Email and Web Browser Protections 17. Implement a Security Awareness and Training 8. Malware Defenses Program 9. Limitation and Control of Network Ports, Protocols, and 18. Application Software Security Services 19. Incident Response and Management 10.Data Recovery Capabilities 20. Penetration Tests and Red Team Exercises

• Understand the Threat  • Recent Data Breaches • Anatomy of a Breach • What do we do about it? 

• Kelli Tarala – E-mail: [email protected] – Twitter: @kellitarala – Blog: http://www.auditscripts.com/

• Resources for further study: – https://staysafeonline.org/ – https://haveibeenpwned.com/ – https://privacyrights.org