Protect Your Properties from Cyber Attacks!
MNP Cyber Security Presentation
Presented by: Danny Timmins, National Cyber Security Leader 2017
Cyber Security MNP Technology Solutions • Cyber Security Overview • Cyber Crime Tactics and Techniques o Hacking (Penetration Testing) o Social Engineering (Malware/Crimeware) o Red Teaming • Considerations
Page 2 Lessons from the field
• Canada’s 5th Largest Accounting | Tax | Consulting • 4500 Team Members • 80 Offices coast to coast • 55 Cyber Security Professionals Nationally
Page 3 MNP is more than an Accounting Firm
• Digital Strategy • Operational Technology • Portal Development • IoT • Business Continuity • Cyber Security & Risk • Workplace Collaboration • Data Analytics • CRM/ERP • DevOps • Cloud Strategy • Auditing
Page 4 Predictions
➢99% of vulnerabilities exploited will continue to be the ones known by security/IT professionals.
➢The single most impactful enterprise activity to improve security will be patching.
➢The second most impactful enterprise activity to improve security will be removing web server vulnerabilities.
Page 5 Predictions
➢Internet of Things will grow to an installed base of 20.4 billion.
➢A third of successful attacks experienced will be on their shadow IT resources.
➢Companies are using more than 15 times more cloud services to store critical company data than CIOs were aware of.
➢Nearly eight in ten (77%) of decision makers admit to using a third-party cloud application without approval.
Page 6 What’s happening in the industry? Damages have started to increase in Canada - Casino Rama is an example of damages increasing ….30+ Million
Canada’s new privacy laws will require breach notice and affect private sector operations in Canada. (Digital Privacy Act)…do you know your data
Cyber Insurance…how much do you need …is it focused on the correct areas
Page 7 What’s happening in the industry? Mandatory cyber audits coming for publicly traded companies in Canada…. US is pushing hard – its coming
Payment Card Industry (PCI) already has compliancy. IE: Best Western Motels - have been targeted-very limited security
Equifax 140M plus - 100+ thousand in Canada….patch management said to be the issue…mishandled from the start of the breach…directing clients to a phishing site
Page 8 Who are Behind Cyber Attacks?
• Nation States • Organized Hackers • Non-Organized Hacker • Employee: Technical • Employee: Business • Malicious Former Employee
**89% of breaches had financial or espionage motive Page 9 Cyber Security Building Assessment Assess: - Perform a cyber security health check which includes building network systems - Do an inventory of assets Detect: - Try to comprise facility physically - Perform Phishing testing (email, wireless) - Assess which devices are accessible (externally/internally) and have vulnerabilities - Perform automated security scanning - Perform penetration testing Remediate: - Document results to fix all found vulnerabilities - Retest the systems to make sure that the systems have been patched - Work with you and your vendors
Page 10
10 What if a data breach happened? What are the Risks.
- Impact building management systems - Unauthorized physical access to tenant areas - Brand and reputation - Non-compliance with privacy regulations - Unable to fulfill service commitments - Loss of tenants
Page 11
11 Other Risks to Consider
• Supply Chain/Vendor Management • Privacy - Personal Identification Information (PII) • Regulator Compliance • Intellectual Property (IP) • New Automation deployments - IoT (Internet of Things) • Payment Systems (Ecommerce or Point of Sale) • Strategic plans, engineering drawings, RFP’s, Proposals, etc. • Life Safety Systems – elevators, exhaust
Page 12 Let’s take a closer look!
Page 13
13 What is Hacking?
- The EXPLOIT of a technical vulnerability - Human error (still a vulnerability) - Can involve chaining together a series of weaknesses - Performed without owner permission
Page 14
1 4 What is Penetration Testing?
- Similar to hacking except owner gives permission - Attempt to gain access to sensitive information or resources - Steps can include: - Information gathering - Vulnerability enumeration - Vulnerability exploitation / Privilege Escalation - Exploration / Lateral Movements - Performed against defined scope - Measures Network(s) and Application(s) resiliency
- Overall goal to improve security posture Page 15
1 5 Almost ALWAYS Starts with a Vulnerability
Page 16
1 6 Page 17
1 7 Example 1: Penetration Test
Page 18
1 8 Target: Management Controller
Page 19
19 Page 20
20 Page 21
21 Dump Password Hashes:
Page 22
22 What Can You Do with Hash?
Page 23
2 3 “Hashinator”
26 lower case letters (a-z) 26 upper case letters (A-Z) 10 digits (0-9) 8 Characters
26+26+10 = 62
62 ^ 8 = 218,340,105,584,896
…or < 2 days
Page 24
2 4 Page 25
25 U/P Leads to Full VM Infrastructure
Page 26
26 Once Access is Gained… Then We “Pivot”
Page 27
2 7 Access to HVAC System…
Page 28
2 8 Example 2: Programming Error
Page 29
2 9 What is Social Engineering?
- An act that influences a person to take an action - Used by attackers as it consistently works - There is no patch for untrained users - Performed against defined scope - Three types of Social Engineering: - Phishing - Vishing - Impersonation - Measures how well People identify SE attacks
Page 30
3 0 Example Phishing
Page 31 Page 32 Page 33 Page 34 Hello, my name is XXXXX. Resume attached. I look forward to seeing you. Sincerely yours, XXXXX
Page 35 Social Engineering Attackers Deploy Fake Social Media Profiles
Page 36
36 Tip #3 – Google Images
- Use Google Images to verify and validate pictures
Page 37
37 Page 38
38 What is Red Teaming?
• Contains aspects of Penetration Testing and Social Engineering • Performed with the permission of the owner • Typically full-scope, multi-layered attack simulation – Penetration Testing – Social Engineering – Physical Security Controls • Designed to measure resiliency of People, Network(s), and Application(s) during a real-life attack • Attacks are performed simultaneously • Overall goal to identify gaps and improve Incident Response
Page 39 Public Infrastructure – SCADA
• Engagement Objectives: – Non-Technical Objectives (Flags) • Gain access to the SCADA facility – Technical Objectives (Flags) • Perform Penetration Test against internal assets • Attempt to gain access to PLC controllers • Rules of Engagement: – Assets will not be removed from physical location
Page 40 Public Infrastructure – SCADA
• Engagement Findings: – Successfully gained access to facility via piggybacking in behind employee – Performed penetration test against internal assets and able to recover password hashes – Able to bypass thin-client to gain access to corporate network from SCADA facility – Access to the PLC network was gained due to lack of network segmentation – Determined DoS possible on PLC network by sending one malformed packet – No indicators of compromise were detected by client
Page 41 Red Team - Key Findings • Social Engineering attacks like phishing and impersonation consistently work – Lack of Security Awareness training for employees aid attackers • Once inside an organization, detection does not occur – Security controls like IDS/IPS can log events however no one responds to alerts • Lack of patch management and build/hardening standards – allows for compromise of sensitive information/data • Organizations are not equipped to deal with real-life adversary attacks
Page 42 Considerations
Page 43 Considerations
▪ Doing a company wide Cyber Security Health Check. Do you and your executives understand what risks you are protecting and where to prioritize budget & resources.
▪ Develop and implement the appropriate cyber security infrastructure to protect your organization. When was the last time you and your team reviewed your infrastructure.
▪ Understand potential exposure by engaging “ethical hackers” cyber security consultants to hack your organization. Networks, Applications, Mobile.
Page 44 Considerations
▪ Incident Response a) have you developed a plan, done a tabletop exercise, b) Do you know who to call if a breach happens.
▪ Supply Chain/Vendor/Third Parties Management Strategy – beginning with the IT focused contracts.
▪ Backup & Recovery – have they been tested to recover and do you have backup’s offline & offsite.
▪ How are you controlling Shadow IT. Do people install applications with out permission. Page 45 Considerations
▪ Cyber Security Educational Training – Training can’t just be a poster on a wall. (video’s, testing, personalize, etc.)
▪ Does the organization store, process or transmit credit card data? MUST be PCI Compliant.
• Has your organization consider outsourcing your Cyber Security with dedicated Cyber Security Admin’s & Advisors.
Page 46 Considerations
▪ Consider purchasing cyber security insurance. Make sure it is focused on the key risk loss areas of the business.
▪ Is your business putting in place Cyber Security practices, procedures and metrics. Does your risk register include Cyber Security and is it focused on the right risks. Does the board actually understand and agree with the risks being covered – where they part of the decision.
Page 47 Cyber Security Services
Offensive Security (Red Team) Risk Management • Penetration Testing • Quantitative Threat and Risk Assessment (based on probabilities • Blended Threat Attack Exercises and industry statistics • Social Engineering • Qualitative Threat and Risk Assessment (based on matrix • Vulnerability Assessments approach) • Cloud Security Checklist • Privacy Impact Assessments Defensive Security (Blue Team) • MTA (Maturity Threat Analysis) • Enterprise Network Security • Information Security Framework Development • Network, Wireless and Security Architectural Design • Assessment and Review against ISO27k, NIST, CSF or CSC 20 • Perimeter and Data Center Security • Policy, Process, Procedure and Documentation Development • Data Loss Prevention and Data Encryption • Email / Web Content Filtering and Malware Protection Payment Card Industry (PCI) Compliance • Secure Access and Authentication • Scope Discovery • End Point Security and Encryption • Gap Analysis and Readiness Review • Wireless, BYOD and Network Access Control • On Demand Consulting and Remediation • Security Hardening Standards and Guidelines • PCI Report on Compliance Validation (ROC) • Virtualization and Cloud Computing Standards and Guidance • PCI SAQ Review and Sign Off • Security Awareness Training • External ASV Scanning • Annual Maintenance (Business as Usual) Forensics • Data Retrieval from hard drives, servers, laptops, cell Managed Services phones, etc. • Cyber Security Administration • E-Discovery Service for Court Admissibility • Perimeter Threat Prevention (firewall, IPS, anti-virus, web application firewalls, etc.) • 2-Factor Authentication • Log Management Page 48 • Proposed Tax Changes: http://www.mnp.ca/en/posts/tax-changes-and-your- family-business-what-you-need-to-know
• Impacts on Your Family Business: http://www.mnp.ca/en/posts/tax-changes-and-your- family-business-what-you-need-to-know
• Risk Management in Cyber Security: http://www.mnp.ca/en/real-estate-and- construction/risk-management-in-cyber-security
Page 49 Questions?
Danny Timmins National Leader Cyber Security
Page 50
50