Hacking & Social Engineering
Steve Smith, President Innovative Network Solutions, Inc. Presentation Contents Hacking Crisis What is Hacking/Who is a Hacker History of Hacking Why do Hackers hack? Types of Hacking Statistics Infrastructure Trends What should you do after being hacked Proactive Steps Social Engineering Objective What is Social Engineering What are they looking for? Tactics Protecting yourself INS Approach Infrastructure Assessment Network Traffic Assessment Social Engineering Assessment Conclusion
Security is Everyone’s Responsibility – See Something, Say Something! Hacking Crisis Internet has grown very fast and security has lagged behind It can be hard to trace a perpetrator of cyber attacks because most are able to camouflage their identities Large scale failures on the internet can have a catastrophic impact on: the economy which relies heavily on electronic transactions human life, when hospitals or government agencies, such as first responders are targeted What is Hacking? The Process of attempting to gain or successfully gaining, unauthorized access to computer resources
Who is a Hacker? In the computer security context, a hacker is someone who seeks and exploits weaknesses in a computer system or computer network.
History of Hacking
Began as early as 1903: Magician and inventor Nevil Maskelyne disrupts John Ambrose Fleming's public demonstration of Guglielmo Marconi's purportedly secure wireless telegraphy technology, sending insulting Morse code messages through the auditorium's projector The term “Hacker” originated in the 1960’s at MIT A network known as ARPANET was founded by the Department of Defense as a means to link government offices. In time, ARPANET evolved into what is today known as the Internet. Hacking began in the 1960s at MIT , origin of the term “hacker”. During the 1980s, hacking was not known amongst the masses as it is presently. To be a hacker was to be a part of a very exclusive and secluded group Hackers have developed methods to exploit security holes in various computer systems Why do hackers hack? Just for fun. Show off. Hack other systems secretly. Notify many people their thought. Steal important information. Destroy enemy’s computer network during the war.
Types of Hacking Indiana State and Local Government
Residents have entrusted their elected officials and government employees with important data. This includes medical records, tax assessment data, property records, court records, personnel staffing records, criminal justice records, surveying records and more.
Unfortunately, there are some governments that may manage their confidential data themselves using old hardware and/or software systems that could make them more vulnerable to cyber threats. This is especially true for those that manage the utilities, creating a situation in which not only information is being stored and at risk, but so is the industrial controls and critical infrastructure.
Unlike intrusion into information technology systems, which results in the loss of data, the compromise of industrial control systems can allow attackers to take control of physical infrastructure and mechanical systems. This evolving threat puts complex manufacturing, energy infrastructure, water utilities and petrochemical production systems at risk for attack. In 2012 alone, the U.S. Department of Homeland Security reported nearly 200 attacks on industrial control systems, 40% of which were against energy production and distribution systems. http://www.in.gov/cybersecurity/2529.htm
Statistics Q2 2017 Statistics Exploits 184 billion exploit detections 1.8 billion average daily volume 6,298 unique exploit detections 69% of firms saw severe exploits
Malware 62 million malware detections 677,000 average daily volume 16,582 variants in 2,534 families 18% of firms saw mobile malware
Statistics Q2 2017 Statistics Botnets 2.9 billion botnet detections 32 million average daily volume 243 unique botnets detected 993 daily communications per firm
Infrastructure Trends Infrastructure Trends What should you do after being hacked?
Shutdown and turn off the system Unplug the network cable from the computer or shutoff the wireless network Report the crime Paying the ransom is no guarantee Contact experts (your IT Department or IT Support Company) Have a Plan B Proactive Steps
What can you do? Website Hacking
Keep all software up to date (Operating Systems and any software running on the website) SQL Injection - You can easily prevent this by always using parameterized queries XSS (Cross-site scripting) - ensure that users cannot inject active JavaScript content into your pages Error Messages - Provide only minimal errors and error information to your users, to ensure they don't leak potential vulnerabilities present on your server Server side validation/form validation - Validation should always be done both on the browser and server side File Uploads – Do NOT allow. Allowing users to upload files to your website can be a big website security risk, even if it’s simply to change their avatar HTTPS - HTTPS is a protocol used to provide security over the Internet. HTTPS guarantees to users that they're talking to the server they expect, and that nobody else can intercept or change the content they're seeing in transit Website Security Tools - They work on a similar basis to scripts hackers will use in that they test all known exploits and attempt to compromise your site Network Hacking
Maintain a strong firewall Conduct regular scans of your network Limit and require secure remote access Enforce antivirus/anti-malware policy If you maintain credit card information, encrypt the data Keep all software up to date (Operating Systems and any software running on the internal systems) Provide and require continual education Ethical Hacking
Employ a trusted IT firm Ethical Hacking Services firm to assess your infrastructure Independently test your security processes and controls, to identify all vulnerabilities of your environment with a ranking of their level of risk based on the ease with which they can be exploited Have identified vulnerabilities exploited (often called penetration testing or pentesting) which is performed to demonstrate the consequences when these vulnerabilities were found and exploited by an attacker Review your current risks against your desired risk profile, and then develop a reliable, flexible road map that will help you manage your vulnerabilities Email Security
Ensure your firewall has ability to scan inbound email threats Install/Implement Anti-spam and Anti-virus solutions Combine a malware-prevention system that is able to detect zero-day threats Ensure your network is secure/protected to prevent access to your email server Educate your team (continuous) Password Security
Do not write your password down Make sure others do not watch you type your password Utilize a password policy that consists of: Minimum number of characters Must use special characters Must use a number Must change your password every X months Cannot use same password until X amount of changed passwords Do not use dictionary words
Example: Noah E. Smith N0ah3$m1th
Online Banking Security Follow the proactive steps to a secure password Ensure the device you use is adequately secure Avoid using public computers or insecure Wi- Fi connections Be wary of unsolicited messages supposedly coming from your bank Computer Security Employ hardware protection mechanisms USB dongles – to unlock software Computer case intrusion detection Encrypt hard drives Disable USB ports Install Anti-virus and Anti-malware solutions Install local firewall Keep operating system and Anti-virus/Anti-malware software up to date Consider a Two-Factor Authentication solution Do not give personal information over un-encrypted websites Back up your files or save them on a central server Social Engineering Objectives Understand the principles of social engineering Define the goals of social engineering Recognize the signs of social engineering Identify ways to protect yourself from social engineering
Security is Everyone's Responsibility – See Something, Say Something! What is Social Engineering
At its core it is manipulating a person into knowingly or unknowingly giving up information; essentially 'hacking' into a person to steal valuable information It is a way for criminals to gain access to information systems. The purpose of social engineering is usually to secretly install spyware, other malicious software or to trick persons into handing over passwords and/or other sensitive financial or personal information Social engineering is one of the most effective routes to stealing confidential data from organizations, according to Siemens Enterprise Communications, based in Germany. In a recent Siemens test, 85 percent of office workers were duped by engineering
What are they looking for? Obtaining simple information such as your pet's name, where you're from, the places you've visited; information that you'd give out freely to your friends. Think of yourself as a walking computer, full of valuable information about yourself. You've got a name, address, and valuables. Now categorize those items like a business does. Personally identifiable data, financial information, cardholder data, health insurance data, credit reporting data, and so on… Take a close look at some of the 'secure' sites you log into. Some have a 'secret question' you have to answer, if you cannot remember your username or password. The questions seem pretty tough for an outsider looking into trying to hack into your account. What's the name of your first pet? What is your maiden name? When was your mother/father born? Where were you born? Do these sound familiar?
Tactics 1. Pretexting – Creating a fake scenario
2. Phishing – Send out bait to fool victims into giving away their information
3. Fake Websites – Molded to look like the real thing. Log in with real credentials that are now compromised
4. Fake Pop-up – Pops up in front of real web site to obtain user credentials
5. Physical intrusions
Protecting Yourself A security aware culture can help employees identify and repel social engineering attacks
Recognize inappropriate requests for information Take ownership for corporate security Understand risk and impact of security breeches Social engineering attacks are personal Password management Two factor authentication Physical security Understand what information you are putting on the Web for targeting at social network sites Google Twitter Instagram Facebook Personal Blogs LinkedIn
Are You at Risk? Cyber Security Risk Questionaire Does your organization have a wireless network, or do employees or customers access your internal systems from remote locations? NO Does anyone in your organization take company-owned mobile devices (e.g.laptops, smartphones, and USB drives) with them, either home or when travelling? NO Does your organization use Cloud-based software or storage? NO Does your organization have a “bring your own device” (BYOD) policy that allows employees to use personal devices for business use or on a company network? NO
Are any employees allowed access to administrative privileges on your network or computers? NO Does your organization have critical operational systems connected to a public network? NO Does anyone in your organization use computers to access bank accounts or initiate money transfers? NO Does your organization store sensitive information (e.g. financial reports, trade secrets, intellectual property and product designs) that could potentially compromise your organization if stolen? NO
Does your organization digitally store the personally identifiable information (PII) of employees or customers? This can include government-issued ID numbers and financial information. NO Is your organization part of a supply chain, or do you have supply chain partners? NO Does your organization conduct business in foreign countries, either physically or online? NO Has your organization ever failed to enforce policies around the acceptable use of computers, email, the Internet, etc.? NO Can the general public access your organization’s building without the use of an ID card? NO Is network security training for employees optional at your organization? NO Can employees use their computers or company-issued devices indefinitely without updating passwords? NO Has your IT department ever failed to install antivirus software or perform regular vulnerability checks? NO Can employees dispose of sensitive information in unsecured bins? NO Would your organization lose critical information in the event of a system failure or other network disaster? NO Can employees easily see what co-workers are doing on their computers? NO Has your organization neglected to review its data security or cyber security policies and procedures within the last year? NO
Risk Assessment: Low Risk
Levels of Risk: Low, Moderate, High, Escalated INS Approach
Infrastructure Assessment
Network Traffic Assessment
Social Engineering Assessment
Guide for Cybersecurity Event Recovery
Infrastructure Assessment The Infrastructure Assessment/Penetrations non-intrusive and goes way beyond just network discovery and documentation to provide real "value- added intelligence". Our data collectors compare multiple data points to uncover hard to detect issues, measure risk based on impact to the network, suggest recommended fixes, and track remediation progress.
27 Reports including: Network Assessment Detail, Client Risks, Network Management Plan, Full Network Assessment, Network Site Diagram, Asset Detail, Excel Analysis Export, Security Assessment, Network Security Risk Review, Network Security Management Plan, External Vulnerabilities Scan Detail, Outbound Security, Security Policy Assessment, Share Permission, User Permissions, User Behavior Analysis, Login History by Computer, Login Failures by Computer, Exchange Assessment, Exchange Management Plan, Exchange Traffic and Use, Exchange Mailbox Detail, Exchange Distribution Lists, Exchange Mailbox Permissions by Mailbox, Exchange Mailbox Permissions by User, Exchange Excel Export, Exchange Mobile Device Report
Network Traffic Assessment
App Intelligence, Control and Visualization Top Apps by Risk Level Top Apps by Category Top Apps by Bandwidth Threat Prevention Botnet Top Exploitation Attempts Network Traffic Top URL Categories Top Application Categories by Bandwidth Top Country by Traffic Top Session Usage by IP Top Traffic Usage by IP Top User Sessions Top User Traffic Social Engineering
Web Spoof Mock website looks identical Different URL Request username and password Phone Spoof Impersonate IT personnel Explain the “scam” Request the username and password Email Spoof Impersonate email from IT leader or executive Request user to click on link to website Perform items included in the “Web Spoof”
Guide for Recovery Cybersecurity Event In light of an increasing number of cybersecurity events, organizations can improve resilience by ensuring that their risk management processes include comprehensive recovery planning. Identifying and prioritizing organization resources helps to guide effective plans and realistic test scenarios. This preparation enables rapid recovery from incidents when they occur and helps to minimize the impact on the organization and its constituents. Additionally, continually improving recovery planning by learning lessons from past events, including those of other organizations, helps to ensure the continuity of important mission functions. This guide provides tactical and strategic guidance regarding the planning, playbook developing, testing, and improvement of recovery planning.
Conclusion
Cybercrime is a for-profit business generating billions in revenue. Cybercriminals are highly motivated and will use whatever means they have to gain access to your critical data Ransomware is not new, but its recent rise in sophistication and distribution is an escalated trend to find ways to exploit individuals and businesses Security is not something you add to your business, it is integral to doing business Make sure you are partnering with security experts who understand that security is more than a device. It is: A system of highly integrated technologies Combined with an effective policy A lifecycle approach of preparing, protecting, detecting, responding, and learning Security is Everyone’s Responsibility – See Something, Say Something!
Questions? Please contact: [email protected] [email protected]