sign in sign up
<<
Home , Petya (malware)

WHAT’S OUR OBLIGATION?

Instructor Course WHY SHOULD I…??

Legal

Lives Depend Fiduciary on it!

Privacy Ethical - Patriotic

Instructor Course Instructor Course GLOBAL ATTACKS

• Cyber crime will cost 6 trillion annually by 2021

• It will be more profitable than the global drug trade

• Cyber defense spending will be 1 Trillion within the next 4 years

• There will be 3.5 million UNFILLED Cyber Security Jobs by 2021

alone is estimated to cost 11.5 billion in 2019

https://www.csoonline.com/article/3153707/security/top-5-cybersecurity-facts-figures-and-statistics.html

Instructor Course A MASSIVE PROBLEM

http://allnewspipeline.com/images/cna1.jpg http://media4.s-nbcnews.com/j/newscms/2015_31/1148606/150730-nsa-cyber-map-jhc-1407_cde28ac585ec2df79ff3cb20f7bb4559.nbcnews-ux-2880-1000.jpg

Instructor Course LOSS OF CRITICAL TECHNOLOGY?

Chinese Steal Sensitive Data on U.S. Subs and Missiles from Military Contractor, Report Says

• 614 gigabytes of submarine communications data and information about Sea Dragon “an underwater technology that the Defense Department has described as introducing a “disruptive offensive capability”” • It is believed that China’s Ministry of State Security, or MSS is responsible • It was reported that the data was on an unclassified network as officials say the data “could be considered classified and was highly sensitive” • “Former Navy officer and NSA analyst John Schindler, writing for the Observer, highlights the loss of cryptographic information used in submarine communications.” He likens the theft to the Allied compromise of the German Enigma cipher that led to the sinking of German U-boats in World War II

http://fortune.com/2018/06/10/chinese-hackers-steal-sensitive-data-us-military/

Instructor Course LOSS OF CRITICAL TECHNOLOGY?

Chinese Hackers Steal Dozens of Critical Military Designs for Weapons Systems

Dozens of designs for highly sensitive systems were stolen in 2013 such as:

• The Advanced Patriot missile system • The Navy's Aegis ballistic missile defense systems • The F/A-18 fighter jet • The V-22 Osprey • The Black Hawk helicopter • The F-35 Joint Strike Fighter

http://fortune.com/2018/06/10/chinese-hackers-steal-sensitive-data-us-military/

Instructor Course EVEN LAW ENFORCEMENT NEEDS TO WORRY?

Let’s look at some examples:

• April 2018: Iberia Parish, Louisiana Sheriff’s infected with Ransomware

• October 2017: Pulaski County Jail cameras hacked

• February 2017: Licking County Sheriff’s Network, Websites and local computers offline

• May 2018: Securus prison phone and location tracking company hacked

• Feb 2018: LAPD account hacked

• April 2018: Arizona Road Sign Hacked

• June 2017: Multiple Florida County sites hacked

• August 2011: Antisec hacks more than 70 small town LEs

• March 2017: Warren County Sheriff’s Hacked

Instructor Course The Villains?

Parties and Tactics, Across Industries:

Verizon 2017 Data Breach Investigations Report

Instructor Course But my Password is Complicated!

The Wi-Fi Pineapple enables anyone to steal data on public Wi-Fi networks. It captures traffic coming across the network…yes including clear text passwords.

Instructor Course But no Really…my Password is Super Complicated!

Instructor Course But My People Are Great!

• 99 percent said they feel responsible for data • 21 percent of healthcare employees write down their user names and passwords near their computer • 18 percent are willing to sell their access or confidential data to an unauthorized outsider • Average expectation was $500-$1000 • About 25% of employees know someone in their organization who has already acted on this • Employees are absolutely a HUGE part of the problem

Instructor Course Instructor Course Instructor Course Project Shine (SHodan INtelligence Extraction)

Bob Radvanovsky and Jake Brodsky of Infracritcal used a special search engine known as SHODAN to search the globe for devices running Industrial Control Systems exposed to the public Internet. They identified 460,000 IPs before they handed the database to the DOD and who then reduced the number to under 25,000 critical Industrial Control Systems. That total is now believed to be over 2,000,000.

Shodan searched TCP/UDP port numbers such as: • 23 (Telnet) • 443 (HTTPS) • 161 (SNMP) • 80 (HTTP) • 21 (FTP)

Instructor Course Industrial Control Incidents

Count Total >750 Malicious >250 Targeted >100 (of the 250+) Loss of View/Loss of Control >300 Injury/Deaths >50 (>1,000 people) Equipment Damage >100 Environmental Damage >50 Operational Impact >450 Financial Impact >$30B

Instructor Course What are ICS-unique Cyber Threats

• Not just the network • Cyber-physical • Persistent Design Vulnerabilities not APT • Want control of the process not denial-of-service Gap in protection of the process – eg, Aurora Compromise of the measurement – eg, HART vulnerability Compromise design features of the controller – eg,

Instructor Course Industrial Controls

• Impacts ranged from significant discharges to significant equipment damage and deaths • Affects all industries • Very few ICS-specific cyber security technologies, training, and policies • >2,000,000 ICS devices directly connected to the Internet (and counting)

Instructor Course Instructor Course Instructor Course A Syrian group compromised an un-named water company’s computers. The Hack involved:

• Unpatched Web Vulnerabilities • Phishing • SQL Injection • Obtaining Credentials for the AS400 that were stored on a front-end Web server • Changing flow and mixture settings • Changes were discovered by alerts and the flows and mixtures were corrected

But what if…they also made changes to the sensors that triggered the alerts? Would the result have been different?

https://www.theregister.co.uk/2016/03/24/water_utility_hacked/ Instructor Course Yes. Your system is likely attached to the network!

Instructor Course DATA CENTERS ARE VULNERABLE!

• “Control system network vulnerabilities include the use of standardized cyber vulnerable communications protocols such as Modbus/TCP, BACnet and SNMP. These protocols have been demonstrated to be vulnerable to and, in the case of Modbus, there are simply no security features built into the protocol at all. Hardware vulnerabilities include the Aurora vulnerability and Uninterruptible Power Supplies (UPSs).”

• “The Aurora demonstration proved there could be physical damage from an attack though the operators were blind because the attack was not see from the SCADA system. An actual Aurora event affected a data center when the data center experienced multiple Aurora events over a multi-day span.”

• The very recent attack reportedly took down the UPSs and Chillers and therefore the entire datacenter for an extended period.

https://www.controlglobal.com/blogs/unfettered/data-centers-have-been-damaged-and-they-are-not-being-adequately-cyber-secured/

Instructor Course So what’s the point you ask?

• Don’t rely on facility Security Technology • Don’t assume live security will catch a determined actor • You MUST encrypt where possible

Instructor Course PHYSICAL MANAGEMENT IS CRITICAL

Instructor Course Drones Are a Physical and Logical Threat

The Department of Homeland Security (DHS)/National Protection and Programs Directorate (NPPD)/Office of Cyber and Infrastructure Analysis (OCIA) assesses that unmanned aircraft systems (UASs) provide malicious actors an additional method of gaining undetected proximity to networks and equipment within critical infrastructure sectors.

Instructor Course In 2016, researchers in Israel flew a UAS outside of an office building and were able to compromise smart lightbulbs installed within the building using equipment attached to the UAS. The researchers were able to perform over-the-air firmware updates to take control of the lightbulbs at a range of 350 meters.

In 2015, researchers in Singapore attached a smartphone holding applications to a UAS to detect printers with unsecured wireless connections. The researchers flew the UAS outside an office building, had the phone pose as the printer, and tricked nearby computers to connect to the phone instead of the printer. When a user sent a document for printing, the phone intercepted the document and sent a copy to the researchers using a 3G or 4G connection.

Instructor Course Let’s Look At Spreading Entity Killers

• AKA: CryptoWall, Crypto Locker, Reveton, Locky, Petya, NotPetya, CryptoMix, Shark CryptoMix • Extortion–Blackmail - Shaming • IT Hostage (Needing Rescue) – I T Hostage Rescue ™)

Instructor Course https://upload.wikimedia.org/wikipedia/commons/8/84/National_Security_Agency_headquarters%2C_Fort_Meade%2C_Maryland.jpg

Instructor Course NSA & CIA HACKS AND TOOLS RELEASED

• NSA Thieves - Shadow Brokers • Tools from (US, Australia, Britain, Israel, &…?) • Team Equation is believed to be behind (espionage) & Stuxnet (sabotage) • AV firms documented 500+ related infections in 42 countries • Designed to control Routers and Firewalls • Now packaged to target additional assets • Malware, zero day, private exploits, and hacking tools (most avoiding traditional security methods)

Instructor Course SAMPLE OF NEARLY 100 TOOLS THOUGHT TO BE CIA NSA & CIA Hacks and Tools Released

• SparrowHawk – Keylogger intended for use across multiple architectures and Unix-based platforms • Terodactyl – A “custom hardware solution to support media copying” • DerStarke – Boot-level rootkit implant for Apple computers • GyrFalcon – Tracks the client of an OpenSSH connection and collects password, username and connection data • SnowyOwl – Uses OpenSSH session to inject code to target asset • HarpyEagle – Hardware-specific tool to gain root access to Apple’s Airport Extreme and Time Capsule • BaldEagle – An exploit for Unix systems’ Hardware Abstraction Layer • CRUCIBLE – An “automated exploit identification” tool • GreenPacket – Router implant kit • QuarkMatter – Another boot-level rootkit implant for Apple computers

Instructor Course RUSSIAN GOVERNMENT CYBER ACTIVITY

Targeting Energy & Other Critical Infrastructure Sectors

There has been repeated access to American and EU:

• Power Grids • Nuclear • Electric • Water

So far no sabotage (they will admit) has occurred.

Instructor Course RUSSIAN GOVERNMENT US ELECTION ACTIVITY

America’s election infrastructure was targeted.

• U.S. Intelligence says Russian sponsored actors, “obtained and maintained access to elements of multiple US state or local electoral boards.” • A January 2017 report, “includes an analytic assessment drafted and coordinated among The Central Intelligence Agency (CIA), The Federal Bureau of Investigation (FBI), and The (NSA), which draws on intelligence information collected and disseminated by those three agencies.” • Russian President ordered the attack on the US presidential election. • Russia’s intelligence services conducted cyber operations against both major US political parties. • Russian military intelligence (General Staff Main Intelligence Directorate or GRU) likely used the 2.0 and DCLeaks.com US data

https://www.dni.gov/files/documents/ICA_2017_01.pdf

Instructor Course RUSSIAN GOVERNMENT US ELECTION ACTIVITY

What they think we know about the results:

• The types of systems Russian actors [WERE KNOWN TO HAVE] targeted or compromised were not [KNOWN TO HAVE BEEN] involved in vote tallying. • Russian intelligence attacked “US primary campaigns, think tanks, and lobbying groups they viewed as likely to shape future US policies.” • In July 2015, Russians gained systems access to Democratic National Committee (DNC) and held it until at least June 2016. • Talking our both sides of their mouths – “Whether there were attacks on voting systems or vote tabulation systems is unknown. The committee authoring this report is not aware of an ongoing investigation into this possibility.”

https://www.dhs.gov/sites/default/files/publications/DHS%20Election%20Infrastructure%20Security%20Resource%20Guide%20April%202018.pdf https://www.dni.gov/files/documents/ICA_2017_01.pdf

Instructor Course RUSSIAN GOVERNMENT US ELECTION ACTIVITY

What are we doing about it?

• Homeland Security declared in January 2017, “Given the vital role elections play in this country, it is clear that certain systems and assets of election infrastructure meet the definition of critical infrastructure, in fact and in law,” Secretary of Homeland Security Jeh Johnson said in a statement. • DHS is now offering a Cyber Infrastructure Survey (CIS) that “is a no-cost, voluntary survey that evaluates the effectiveness of organizational security controls, cybersecurity preparedness, and overall resilience.”

Bottom line is that election security is up to the states and NOT Mandatory – Yes Way.

https://www.dni.gov/files/documents/ICA_2017_01.pdf

Instructor Course RUSSIAN GOVERNMENT US ELECTION ACTIVITY

What we know about conditions:

• Many systems are old and not updated • The largest voting systems vendor reportedly admitted that remote-access software was pre-loaded after making unequivocal denials to an investigative reporter • That same manufacturer acknowledged that modems were also included so “technicians” could remotely access the systems • ES&S machines registered at least 60 of 2006 US Ballots • ES&S contracts spoke of use of remote access software

https://motherboard.vice.com/en_us/article/mb4ezy/top-voting-machine-vendor-admits-it-installed-remote-access-software-on-systems-sold-to-states

https://www.washingtontimes.com/news/2018/jul/17/ess-voting-machine-maker-says-election-systems-con/

Instructor Course BRING YOUR OWN DISASTER ™

• Using for sensitive data without proper precautions • Failing to update devices • Not leveraging encryption and MDM technologies • Using unsecure or unverified Wi-Fi • Failing to follow proper policies and procedures

Instructor Course BRING YOUR OWN DISASTER ™

• Failure to isolate work from personal data • Not reporting lost/stolen devices • Use of un-vetted apps • Shadow IT using unapproved services • Failure to force locking mechanisms, encryption and auto delete (brute force) protections

Instructor Course Proper Device Hygiene is Critical

Instructor Course Let’s Talk About ID & Social Engineering

Instructor Course Fileless Malware

• No code or signature to detect using traditional AV • No unique behavior heuristics scanners can detect • May be married with other malware • Resides in RAM • Leverages native functions of the operating system • Can often circumvent whitelisting • Very difficult to stop as it leverage tools that are used nearly every day by IT • Leaves no signature to be detected • Can lead to total stealth and persistent infection Instructor Course HIDDEN CAMERAS

Instructor Course Stealth Example

 StealthGenie was capable of being installed on phones, including iPhone, Android and Blackberry

 It could intercept all calls and text messages

 The app was undetectable by most users and was advertised as being untraceable, according to authorities

• NEVER let a stranger use your phone!!!

Instructor Course The Department will counter cyber campaigns threatening U.S. military advantage by defending forward to intercept and halt cyber threats and by strengthening the cybersecurity of systems and networks that support DoD missions.

This includes:

1. Working with the private sector and our foreign allies and partners to contest cyber activity that could threaten Joint Force missions and; 2. to counter the exfiltration of sensitive DoD information.

The Department will prioritize securing sensitive DoD information and deterring malicious cyber activities that constitute a use of force against the , our allies, or our partners. Should deterrence fail, the Joint Force stands ready to employ the full range of military capabilities in response.

https://media.defense.gov/2018/Sep/18/2002041658/-1/-1/1/CYBER_STRATEGY_SUMMARY_FINAL.PDF?wpisrc=nl_cybersecurity202&wpmm=1 Instructor Course The 2018 Department of Defense Cyber Strategy represents the Department’s vision for addressing this threat and implementing the priorities of the National Security Strategy and National Defense Strategy for cyberspace. The Department’s cyberspace objectives are:

1. Ensuring the Joint Force can achieve its missions in a contested cyberspace environment; 2. Strengthening the Joint Force by conducting cyberspace operations that enhance U.S. military advantages; 3. Defending U.S. critical infrastructure from malicious cyber activity that alone, or as part of a campaign, could cause a significant cyber incident; 4. Securing DoD information and systems against malicious cyber activity, including DoD information on non-DoD-owned networks; and 5. Expanding DoD cyber cooperation with interagency, industry, and international partners.

Instructor Course “The Department must be prepared to defend non-DoD-owned Defense Critical Infrastructure (DCI) and Defense Industrial Base (DIB) networks and systems.

1. Our chief goal in maintaining an ability to defend DCI is to ensure the infrastructure’s continued functionality and ability to support DoD objectives in a contested cyber environment. 2. Our focus working with DIB entities is to protect sensitive DoD information whose loss, either individually or in aggregate, could result in an erosion of Joint Force military advantage. 3. [T]the Department will: set and enforce standards for cybersecurity, resilience, and reporting; and be prepared, when requested and authorized, to provide direct assistance, including on non-DoD networks, prior to, during, and after an incident.

Instructor Course Know Your Environment

Stay Aware and Vigilant

Close Vulnerabilities Across The Enterprise

Implement & Test Controls

Configure Ample Monitor and & Alerting

Have a Plan, Train on it & Test

https://upload.wikimedia.org/wikipedia/commons/8/84/National_Security_Agency_headquarters%2C_Fort_Meade%2C_Maryland.jpg

Instructor Course

• https://www.nbcnews.com/news/us-news/exclusive-secret-nsa-map-shows-china-cyber-attacks-us-targets- n401211 • www.military.com/video/operations-and-strategy/cyberterrorism/chinese-hack-us-weapon- systems/2416517927001 • https://media.defense.gov/2018/Sep/18/2002041658/-1/-1/1/CYBER_STRATEGY_SUMMARY_FINAL.PDF • http://www8.nationalacademies.org/onpinews/newsitem.aspx?RecordID=25120&_ga=2.197341355.563761842.15 36343615-1198240698.1536343615 • https://www.dhs.gov/sites/default/files/publications/niac-cyber-study-draft-report-08-15-17-508.pdf • https://www.controlglobal.com/blogs/unfettered/ • https://www.nap.edu/download/25120 • https://www.csoonline.com/article/3276660/security/what-is-shodan-the-search-engine-for-everything-on-the- internet.html • https://www.tofinosecurity.com/blog/project-shine-1000000-internet-connected-scada-and-ics-systems-and- counting • https://en.wikipedia.org/wiki/Shodan_(website) • https://www.us-cert.gov/ncas/alerts/TA18-074A • https://www.theregister.co.uk/2016/03/24/water_utility_hacked/ • https://www.dhs.gov/sites/default/files/publications/DHS%20Election%20Infrastructure%20Security%20Resource %20Guide%20April%202018.pdf • https://thehill.com/policy/national-security/313132-dhs-designates-election-systems-as-critical-infrastructure • https://www.dhs.gov/cybersecurity-publications# • http://www.homelandsecuritynewswire.com/cyber-attacks-critical-infrastructure-reach-us-bf • https://money.cnn.com/2015/10/16/technology/sniper-power-grid/index.html

Instructor Course