Table of Contents
!!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”!
1. Introduction 3 2. Cyber Threats as Global Threats 4 3. Perpetrators of Cyber Attacks 6 4. Cyber Security Strategy & PICNICs 7 ! Case Study #1: Social Engineering at the Pentagon 8 5. Gateways of Internet Vulnerability 9 ! Case Study #2: Anonymous versus Booz Allen Hamilton 10 6. Current Top Cyber Threats • Distributed Denial of Service (DDoS) Attacks 11 • BotNets 13 • Viruses 14 ! Case Study #3: Aramco 15 • Worms 16 • Trojan Horses 17 • Logic Bombs 18 • Phishing and Spear Phishing 19 • Exploit Kits 20 • Drive-by Exploits 21 • Code Injection Attacks 22 • Rogueware 23 • Rogue Certificates 24
RBC Enterprise Operational Risk Management 1 Table of Contents
!!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”!
• Identity Theft 25 • Confidential Information Breaches 26 ! Case Study #4: Hacking the Dalai Lama 27 • Targeted Attacks 29 ! Case Study #5: Stuxnet 30 7. Malware as a Service (MaaS) 33 8. Zero-day Vulnerabilities 34 • Heartbleed 35 • Shellshock / Bash 36 9. The Problem of Attribution 37 10. The Bleeding Edge: Supply Chain Hardware Hacking 38 ! Case Study #6: Android Phone Hardware Hack 39 11. Hackbacks and the Legal Limits of Cyber Self-Defense 40 12. Insurance Against Cyber Threats 41 ! Case Study #7: Target and the Cost of Cyber Attacks 42 13. Comments from the Head of U.S. Cyber Command 43 14. Conclusion 44 15. Contact Information 45 16. Disclaimer 46
RBC Enterprise Operational Risk Management 2 1. Introduction
!!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”!
The purpose of this presentation is to provide an overview of the current state of Cyber Threats to Operational Risk Managers and other non-technologists. • Cyber Security has always been and will always be primarily the responsibility of IT departments. • As the frequency and severity of incidents has increased, regulators have stressed the need for greater awareness and communication across organizations. • Because of Operational Risk Management’s high level of visibility with senior management, ORM is well positioned to be a positive force for change in an organization in both heightening the awareness of and improving the responses to Cyber Threats.
RBC Enterprise Operational Risk Management 3 2. Cyber Threats as Global Threats
!!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”!
On February 26, 2015, James Clapper, the U.S. Director of National Intelligence, gave his annual “Worldwide Threat Assessment of the US Intelligence Community” to the Senate Select Committee on Intelligence. For the third year in a row, “Cyber Threats” topped the list of Global Threats.
RBC Enterprise Operational Risk Management 4 2. Cyber Threats as Global Threats
!!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”!
Here is the list of “Global Threats,” in the order they were presented in the version of the document that has been made available to the public: " Cyber Threats " Counterintelligence " Terrorism " Weapons of Mass Destruction and Proliferation " Space and Counterspace " Transnational Organized Crime " Economics and Natural Resources " Human Security
The “Worldwide Threat Assessment” also discusses specific regional threats in the Middle East, Europe, Asia, Latin America, and sub-Saharan Africa. The unclassified version of the file is available online: http://www.dni.gov/files/documents/Unclassified_2015_ATA_SFR_-_SASC_FINAL.pdf
RBC Enterprise Operational Risk Management 5 3. Perpetrators of Cyber Attacks
!!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”!
According to the report, the major perpetrators of cyber attacks are as follows: • Cybercriminals Cybercriminals are motivated by financial gain. They range from individuals to vast networks that are organized on an international level. • Terrorists Their preferred targets are usually critical infrastructure, such as energy production and telecommunication, and military targets. • Hacktivists Hacktivists are politically motivated. They usually target high profile websites, corporations, intelligence agencies, and military institutions. • Nation States Many nation states have advanced offensive cyber capabilities, and can use them in hostile actions against adversaries, or for general espionage. • Corporations Some corporations and organizations engage in activities like theft of intellectual property to gain competitive advantage over their competitors. • Current or Former Employees Employees have insider knowledge of firm’s systems, resources, and defenses. • Random Individuals
RBC Enterprise Operational Risk Management 6 4. Cyber Security Strategy & PICNICs
!!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”!
Many companies use some version of the following three-pronged approach as the basis of their cyber security strategies: 1. Hunkering down behind industrial strength firewalls. 2. Hardening user computers and workstations with anti-virus software. 3. Limiting computer and network access by restricting the use of Wi-Fi, USB inputs, Remote Access, external hard drives, etc. So, has this three-pronged strategy been effective? • The answer is a qualified “Yes.” While practically all financial services firms have been subject to cyber intrusions of one form or another, the number of firms that have been severely impacted appears to be limited. However, that list is growing. Also, attackers are well acquainted with these strategies, and plan their attacks accordingly. • Almost all cyber security strategies have “PICNIC” vulnerabilities: ! PICNIC = “Problem In Chair, Not In Computer” PICNICs are usually associated with end users. However, PICNICs can also refer to IT departments. • Social Engineering and a basic understanding of Psychology have been used numerous times by attackers to come up with PICNIC exploits that can offset or negate even sophisticated cyber security strategies. [see Case Study #1 on slide #8]
RBC Enterprise Operational Risk Management 7 Case Study #1: “Social Engineering” at the Pentagon
!!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”!
The Pentagon in Arlington, Virginia houses the US Department of Defense. It is one of the largest office buildings in the world, and one of the most secure.
The Pentagon has strict rules about the use of USB thumb drives on their computers. One of their IT security areas decided to see how effective their protocols were. So, over the course of several days, they seeded several Pentagon parking lots with thumb drives, to see how many would get used on Pentagon computers. The only software on the thumb drives was a program that called back to a host to say it was plugged in, and the IP of that computer. They found that 20% of the thumb drives got plugged in.
A few weeks later, they decided to repeat the experiment, but this time with a Social Engineering component – they branded the drives “CIA,” “FBI,” or “NSA” to make them more enticing. Almost 80% of the falsely branded drives got plugged in.
"Cyber!Threats"!|!Neil!Roth!|!11!December!2014! RBC Enterprise Operational Risk Management 8 5. Gateways of Internet Vulnerability
!!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”!
From it’s earliest incarnations, the internet was designed to facilitate the rapid, accurate, and effective communication of information. Security was never the primary concern. As such, there are several things to keep in mind: 1. Instantaneous Action at a Distance The people attacking your company may be based in countries that don’t even have an extradition treaty with your country, so legal recourse may be difficult or impossible. 2. Anonymity in Cyberspace Cyber criminals who have the requisite skills in hiding or obscuring their activities have a big advantage over their targets. 3. Lack of Borders Nations have at least some degree of control over their physical borders. Controlling internet borders is much more difficult. 4. Asymmetries of Cyberspace A small group of actors can effectively attack large targets. [see Case Study #2 on slide #10]
RBC Enterprise Operational Risk Management 9 Case Study #2: “Anonymous” versus Booz Allen Hamilton
!!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”!
In 2011, the hacktivist group “Anonymous” breached the cyber defenses of US contractor Booz Allen Hamilton, and posted the encrypted passwords of thousands of US military personnel online.
After the hack was reported in the media, and confirmed by the Pentagon, Booz Allen Hamilton tweeted that its security policy restricted it from commenting on attacks against its systems.
In response, Anonymous tweeted: “You have a security policy? We never noticed. We infiltrated a server that basically had no security measures in place. We were able to run our own shell application, and begin plundering. We were also able to grab 4GB of your source code and wipe it from your system. We are Anonymous. We are AntiSec. Expect us.”
RBC Enterprise Operational Risk Management 10 6. Top Cyber Threats: DoS and DDoS Attacks
!!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”!
“Denial of Service” (DoS) attacks are an attempt to make a resource unavailable to its users. “Distributed Denial of Service” (DDoS) attacks occur when multiple sources launch simultaneous DoS attacks against a single target. The “Low Orbit Ion Cannon” (LOIC) is the most popular application used for DDoS attacks. The LOIC features a user-friendly web-based interface. An attacker simply enters a URL or an IP address, then clicks to commence an attack.
RBC Enterprise Operational Risk Management 11 6. Top Cyber Threats: DoS and DDoS Attacks
!!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”!
The “Low Orbit Ion Cannon” (LOIC – see slide #11) was originally created as legitimate network stress testing software. It was repurposed for DDoS attacks. Other popular DDoS software includes XOIC, HULK (a/k/a “HTTP Unbearable Load King”), DDOSIM, and RUDY (a/k/a “R-U-Dead-Yet”). There are three basic types of attacks: 1. Application-layer = targets Windows, Apache, OpenBSD, or other software vulnerabilities to perform the attack and crash the server. 2. Protocol-level = attacks on the protocol level, including Ping of Death & Synflood. 3. Volume-based = attacks include ICMP & UDP floods done with spoofed packets. Attackers will use as much firepower as possible in order to make the attack more difficult to defend, often employing “Botnets” (see slide #13). Defenses involve detecting and then blocking fake traffic: • Simple attacks can be defended by configuring the firewall to block the IP addresses that are sending the overflow traffic. • “Blackholing” detects the fake attacking traffic and sends it to a black hole. • “Sinkholing” routes all traffic to a valid IP address where traffic is analyzed. Here, it rejects back packets.
RBC Enterprise Operational Risk Management 12 6. Top Cyber Threats: Botnets
!!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”!
“Botnets” are sets of compromised computers which are under control of an attacker. These compromised systems are called “bots” or “zombies.” Botnets are multiple usage tools that can be used for spamming, identity theft, infecting other systems, and distributing malware. • Botnets are used as a commodity. Interested parties can rent botnets in order to achieve their purposes. • Sophisticated attackers often refrain from using a single massive botnet that will attract attention from law enforcement. The new trend is to use multiple smaller botnets that are difficult to track and take down. • Botnets support infection capabilities for multiple operating systems, as well as iPhone and Android mobile phones. • Cloud Computing platforms have also been used to set up botnets. • Botnets are frequently used in DDoS attacks. [see slides 11 and 12].
RBC Enterprise Operational Risk Management 13 6. Top Cyber Threats: Viruses
!!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”!
A computer “Virus” attaches itself to a program or file enabling it to spread from one computer to another, and attempts to infect other systems. Computer viruses can range in severity from merely annoying, to serious infections that can damage files and render a computer inoperable. Almost all viruses are attached to an executable file (for example, “.exe” files). This means that viruses can’t infect a computer unless a user runs or opens the malicious program. In other words, viruses can’t be spread unless there’s some degree of human interaction. People may unknowingly spread a virus by sharing infected files, usually through an email attachment that has a virus embedded in it. [see Case Study #3 on slide #15]
RBC Enterprise Operational Risk Management 14 Case Study #3: Aramco
!!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”!
Aramco is a Saudi Arabian national oil and natural gas company. It has the largest proven oil reserves in the world, and is the world’s largest daily producer.
In August 2012, a cyber attack wiped out data on 30,000 out of 40,000 computers at Aramco. The purpose of the attacks was to impair oil and gas production in Saudi Arabia, which is the biggest exporter in the Organization of Petroleum Exporting Countries (OPEC). A hacker group claimed responsibility, saying that their motives were political. As proof of the attack, they posted the IP addresses of thousands of Aramco employees online. The hackers left a calling card of sorts – an image of a burning American flag was left on the infected PCs. The attack used a computer virus called Shamoon to infect workstations. Shamoon spread through Aramco’s network and wiped out the hard drives on all connected computers. As a result of the attack, Aramco had to shut down its internal computer systems for a week.
RBC Enterprise Operational Risk Management 15 6. Top Cyber Threats: Worms
!!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”!
“Worms” are a sub-class of Viruses. Worms are programs that have the ability to replicate and redistribute themselves by exploiting vulnerabilities of the target systems. The “Conficker” worm is one of the most famous worms. It was first detected in 2008, and eventually infected millions of computers in over 200 countries: " The purpose of Conficker is unknown. The program has never been activated by its creators, other than to propagate to other hosts and to update itself. " The creators of Conficker are unknown. It is believed that they track efforts to eradicate their program, and regularly release new variants to address vulnerabilities. Conficker is categorized as an “Advanced Persistent Threat” (APT) by computer security experts.
• The French Navy computer network was infected with Conficker in 2009. The network had to be quarantined, which forced aircraft at several airbases to be grounded. • In the same year, the British Ministry of Defense became infected with Conficker, including computers aboard Royal Navy warships and submarines.
RBC Enterprise Operational Risk Management 16 6. Top Cyber Threats: Trojan Horses
!!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”!
“Trojan Horses” are malware programs that gain privileged access to the operating system while appearing to perform a desirable function, but instead drop a malicious payload. Unlike Viruses and Worms, Trojans do not reproduce by infecting other files. Also, Trojans do not self-replicate. Trojans often try to install a backdoor that will allow the attacker unauthorized access to a target system. Trojans may steal information, or harm their host computer systems. Trojans are the most reported type of malicious code.
[example of a fake security alert]
RBC Enterprise Operational Risk Management 17 6. Top Cyber Threats: Logic Bombs
!!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”!
A “Logic Bomb” is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. For example, a disgruntled programmer who is at risk of termination may hide a piece of code that starts deleting files if their name is removed from the HR database of employed individuals. Some will activate on a predefined date, such as the anniversary of a political event. Viruses, Worms, and Trojan Horses often contain Logic Bombs. Examples: • The Shamoon virus that was used to attack Aramco was triggered by a Logic Bomb. [see Case Study #3 on slide #15] • When an system administrator at UBS Paine Webber was unhappy with his bonus, he created a Logic Bomb that would delete the files in a host server in the central data center as well as servers in almost every branch. He then resigned, and bought Puts on UBS in anticipation of their stock price going down. On March 4 2002, the code activated, and 2,000 servers in 400 branches went down, some for as long as a week. The programmer was arrested and charged with computer fraud. He was sentenced to 97 months in prison and a $3.1mm fine. • On October 24 2008, an IT contractor for Fannie Mae was fired. His network access was revoked several hours later. In the interim, he planted a Logic Bomb that was supposed to wipe out the data on 4000 of Fannie Mae’s servers. However, the code was found before it activated. The contractor was arrested and charged with unauthorized computer access. He was found guilty, and sentenced to 41 months in prison.
RBC Enterprise Operational Risk Management 18 6. Top Cyber Threats: Phishing and Spear-Fishing
!!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”!
“Phishing” utilizes fraudulent e-mails and legitimate looking websites in order to deceitfully gain user credentials. Phishers use various Social Engineering techniques to lure victims into providing information such as passwords, social security numbers, and credit card numbers. “Spear Phishing” focuses on a single user or department. Spear Phishing emails appear to come from a source trusted by the targets, such as “Tech Support” or “Human Resources.”
RBC Enterprise Operational Risk Management 19 6. Top Cyber Threats: Exploit Kits
!!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”!
“Exploit Kits” are ready-to-use software packages that automate cybercrime. They often use Drive- by Download Attacks [see slide #21]. These attacks exploit vulnerabilities in browsers and browser plug-ins. Exploit Kits deliver malware and infect unsuspecting web users.
The relative ease of use of Exploit Kits allows people with limited technical knowledge to purchase and use them. • The “Blackhole Exploit Kit” is one the most popular kits that is commercially available. • Pictured here is the “Statistics” tab of Blackhole 2.0’s Administrative Panel. It shows hits, hosts, and successful exploits across browsers, regions, and operating systems.
RBC Enterprise Operational Risk Management 20 6. Top Cyber Threats: Drive-by Exploits
!!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”!
Drive-by Exploits are a subset of Exploit Kits. Also known as “Drive-by Download Attacks,” they inject malicious code into the source code of compromised websites, in order to exploit vulnerabilities in users’ web browsers. Drive-by Exploit Attacks against web browsers have become one of the top problems on the internet. Attacks against browsers often target the following plug-ins: • Java • Adobe Reader • Adobe Flash. The attacks are usually launched through compromised legitimate websites which are used by attackers to host malicious links and malicious code. Many attacks originate from cybercriminals who use the “Blackhole Exploit Kit.” [see slide #20]
RBC Enterprise Operational Risk Management 21 6. Top Cyber Threats: Code Injection Attacks
!!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”!
“Code Injection Attacks” include attacks against web applications such as SQL Injection (SQLi), Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and Remote File Inclusion (RFI). Code Injection Attacks try to extract data, steal credentials, take control of servers, or exploit vulnerabilities in web applications. SQL injection attacks are known to be popular with hacker groups like LulzSec. • SQLi is one of the most popular attack methods against entertainment, retail, technology, media and education websites. • CSRF is one of the top attack methods for Web 2.0 and Hosting Providers.
RBC Enterprise Operational Risk Management 22 6. Top Cyber Threats: Rogueware
!!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”!
“Rogueware” is any kind of fake software that cybercriminals distribute in order to lure users to their malicious intentions. The distribution of rogueware products often involves search engine poisoning, spam emails and drive-by downloads. Categories of rogueware include:
• Scareware: Rogue security software which tries to infect computers by providing fake security alerts. A common tactic involves convincing users that a virus has infected their computer, then suggesting that they download software to remove it. • Ransomware: Malware which restricts access to the system that it infects, and demands that a ransom be paid in order for the restriction to be removed. Some forms of Ransomware encrypt files on the system's hard drive, while others lock the system and display messages intended to coax the user into paying.
RBC Enterprise Operational Risk Management 23 6. Top Cyber Threats: Rogue Certificates
!!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”!
Digital Certificates are a means of defining trust in Internet. “Rogue Certification Authority Certificates” (or “Rogue CA Certificates, or “Rogue Certificates”) allow malicious users to impersonate websites, including banking and e-commerce sites secured using the HTTPS protocol. A rogue CA certificate may be trusted by web browsers, and is harmful because it can appear to be signed by one of the root CAs that browsers trust by default.
A rogue certificate can be created using a vulnerability in the Internet Public Key Infrastructure (IPKI) used to issue digital certificates for secure Web sites. Attackers steal, produce and circulate rogue certificates which give them the capability of engaging in attacks that are hard to detect. Rogue certificates can also be used to sign malware that will appear as legitimate and can evade detection mechanisms.
RBC Enterprise Operational Risk Management 24 6. Top Cyber Threats: Identity Theft
!!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”!
“Identity theft” is an attack that occurs when an attacker steals user credentials, and uses them order to serve malicious goals, mostly related with financial fraud. • Cybercriminals have paid particular attention to exploiting vulnerabilities in online banking. Banking Trojans (such as “ZeuS”) have been refined, and are optimized to steal online banking credentials. • Mobile users increasingly use their devices for online banking and financial transactions. As a result, they have also become a target of cybercriminals. “ZeuS-in-the-Mobile” (ZitMo) is a variant of the ZeuS banking Trojan that was specifically written for mobile user identity theft. • There are publicly available hack tools that enable attackers to intercept Wi-Fi traffic, identify users and passwords for popular services, and hijack personal accounts. • Identity theft and identity fraud have high frequency and high level of risk in social networks.
How ZeuS works when a web browser is opened on an infected computer. Note that “C&C” in step four stands for “Command and Control”
RBC Enterprise Operational Risk Management 25 6. Top Cyber Threats: Confidential Information Breaches
!!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”!
“Confidential information breaches” refer to the compromising of confidential information to either internal or external threat agents. This threat targets sensitive information from various sectors such as public health sector, governmental organizations, and small-medium businesses. Data breaches are usually realized through some form of hacking, incorporated malware, physical attacks, social engineering attacks and misuse of privileges. • In the last years, the number of data breaches detected at healthcare organizations has increased. The adoption of electronic health record systems that store personally identifiable information seems to attract the attention of cybercriminals. • Negligent insiders and external malicious attacks are the main causes of data breaches. • Cybercriminals and hacktivists are the major external threat agents for data breaches. • Enterprises that suffer confidential information breaches may lose money and also incur damage to their reputations. • Individuals are also subject to confidential information breaches. [see Case Study #4 on slides #27 and 28]
RBC Enterprise Operational Risk Management 26 Case Study #4: Hacking the Dalai Lama
!!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”!
In 2008, the Indian government received an email warning them not to host the Dalai Lama for an upcoming visit. The visit was not public knowledge yet, which raised a red flag. So, the country hired a Canadian security firm to find out who sent the message, and how this sensitive information had been attained. The firm found that the Dalai Lama’s laptop had been compromised when a malicious link in an email had been clicked, which downloaded software that allowed attackers to take complete control over his laptop:
• A keylogger program recorded every keystroke entered on the computer, so the hackers could read all documents created on it. • His email account had been compromised, so they could read all incoming and outgoing mail. • The hackers were able to turn on the laptop’s webcam remotely without triggering the red light that indicated that the webcam was on, thereby enabling them to observe all activity in sight of the webcam without anyone’s knowledge. • The hackers also controlled the laptop’s microphone, enabling them to use the laptop as a bugging device.
RBC Enterprise Operational Risk Management 27 Case Study #4: Hacking the Dalai Lama
!!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”!
It took the security firm 10 months to track down the suspected hackers. They pinpointed the source of the surveillance on the Dalai Lama to an island off the southern coast of a large Eastern nation. The accused country has denied all knowledge of and responsibility for the hack on the Dalai Lama. As reported in the New York Times, the hack on the Dalai Lama was part of a large scale cyber information gathering operation called “GhostNet.” Discovered in 2009, GhostNet is believed to have infiltrated targets in 103 nations, including political, financial, and media targets. GhostNet’s primary methodology is to send emails with malicious attachments to the targets. If the attachments are opened, they attempt to infiltrate a Trojan Horse into the system. The Trojan connects back to a control server, and will execute any given commands. Often, the command server will try to install a Trojan called “Ghost RAT” (“Remote Administration Tool”). This Trojan allows attackers complete, real-time control of infected computers. RBC Enterprise Operational Risk Management 28
6. Top Cyber Threats: Targeted Attacks
!!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”!
“Targeted Attacks” occur when attackers target a specific entity/organization over a long time span. Often the objective of targeted attacks is either data exfiltration or gaining persistent access and control of the target system. This kind of attack consists of an information gathering phase and the use of advanced techniques to fulfill the attacker’s goals. The first phase usually involves Spear Phishing, infected media or social engineering techniques. The second phase involves exploitation techniques. • The spearphishing message can include a link or attachment (e.g. executable file, ZIP, PDF, Text Documents, etc.) leading to infection of the target system, often with custom malware that (i.e. bypassing anti-virus detection mechanisms). • More and more targeted attacks against small companies have been registered. This trend could be based on the perception that small companies, with fewer resources for security measures, are an easier target. • The energy sector has incurred a disproportionally large number of serious targeted attacks in recent years (most famously “Stuxnet”), with vulnerabilities of “SCADA” systems (Supervisory Control and Data Acquisition systems) frequently being targeted by attackers. [see Case Study #5 on slides #30, 31 and 32]
RBC Enterprise Operational Risk Management 29 Case Study #5: Stuxnet
!!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”!
Stuxnet is one of the most famous targeted attacks. First detected in 2010, it caused an estimated 1000 centrifuges to malfunction in a uranium purification facility in Iran. The system it attacked was not connected to the internet. Rather, it was “air-gapped” from all online systems as an added degree of security. It is believed that a large Western nation partnered with a small Asian nation to create Stuxnet. Various intelligence sources told media outlets that Stuxnet may have set back the Iranian Nuclear program two years or more. Because of its complexity, sophistication, and devastating impact, Stuxnet has become the most studied piece of malware in history.
[some Stuxnet code]
RBC Enterprise Operational Risk Management 30 Case Study #5: Stuxnet
!!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”!
How Stuxnet is believed to have worked:
RBC Enterprise Operational Risk Management 31 Case Study #5: Stuxnet
!!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”!
How Stuxnet is believed to have worked: 1. Stuxnet enters a system via unknown means (probably an infected laptop, external hard drive, USB thumb drive, or infected project file) and infects all machines running Windows. By utilizing Rogue Certificates, it is able to avoid being detected. 2. Stuxnet then checks to see if a given machine is part of the Siemens Step7 “SCADA” (Supervisory Control and Data Acquisition) system that is used to run high speed centrifuges that help enrich nuclear fuel. 3. If the system is not in the target profile, Stuxnet does nothing. If it is in the target profile, Stuxnet accesses the internet and updates itself to the most recent version. 4. Stuxnet observes the operations of the targeted systems. Then, it compromises the targeted systems’ logic controllers with multiple zero-day exploits. 5. Stuxnet takes control of the uranium enrichment centrifuges, and commands them to spin either too fast or too slow. Over a number of weeks, this causes the centrifuge rotors to crack. It also renders the uranium unusable. 6. While this is going on, Stuxnet feeds the command and control systems with false diagnostic information, reporting that the centrifuges are functioning normally, while they are actually critically malfunctioning.
RBC Enterprise Operational Risk Management 32 7. Malware as a Service (MaaS)
!!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”!
Malware as a Service (MaaS) is a new and emerging criminal business model. There is an on- going professionalization and commercialization of cybercrime software through this kind of threat. MaaS vendors compete with each other in the marketplace for customers, just like legitimate vendors. In recent years, it has become increasingly common for MaaS vendors to offer the following to their customers:
• Botnet rentals (such as $200 for 1000 zombies for 1 week – see graphic at right). • Payments accepted in multiple currencies. • User Manuals available in multiple languages. • 24/7 Tech Support. • Service Level Agreements for certain services (i.e. 99.9% guaranteed uptime for Botnets). • Attorneys on retainer in multiple countries for certain services (such as DDoS participation). Weekly!botnet!rental!prices!per!loca7on!of!the!zombies,!as!adver7sed!on! • Affiliate commissions for referring others to a!MaaS!website.!Note!the!higher!prices!for!USObased!zombies.!This!is! the MaaS vendor. indica7ve!of!cyber!security!being!more!responsive!in!the!US,!which! increases!the!amount!of!work!that!the!MaaS!vendor!has!to!do!to! maintain!their!regional!botnets.! RBC Enterprise Operational Risk Management 33 8. Zero-Day Vulnerabilities
!!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”!
“Zero-Day Vulnerabilities” are vulnerabilities in software that are unknown to the vendor. The vulnerability is then exploited by hackers before the developer of the software becomes aware (which is called a “Zero-Day Attack”). Uses of these attacks can include infiltrating malware, spyware, or gaining access to confidential user information. Depending on the nature of the exploit, zero-day vulnerabilities can be serious security risks. And, it is often the case that the larger and more complicated the software, the more difficult it is for developers to test it for vulnerabilities. Some firms even hire “white hat” hackers, or run contests with monetary prizes awarded to individuals or groups that are able to compromise their software. There are online services that analyze files and URLs to try to identify malware by running them through multiple anti-virus programs simultaneously. While this is good, these same sites can also be used by the writers of malware to see which anti-virus programs are likely to detect and defeat their software, so they can refine it before launching a zero-day attack. [see “Heartbleed” on slide #35 and “Shellshock” on slide #36].
RBC Enterprise Operational Risk Management 34 8. Zero-Day Vulnerabilities: “Heartbleed”
!!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”!
The “Heartbleed” bug is a critical vulnerability in OpenSSL cryptographic software. The bug was introduced to OpenSSL in December 2011 because of a coding error by a programmer while he was fixing other bugs. It was jointly discovered by security researchers at Google and Codenomicon, and announced to the public in April 2014. It’s called “Heartbleed” because the bug is in OpenSSL’s implementation of the Transport Layer Security Protocol’s “Heartbeat” extension. Heartbleed allows anyone on the Internet to read the memory of the systems protected by vulnerable versions of OpenSSL. This compromises the secret keys used to identify the service providers and to encrypt the traffic, names and passwords of the users as well as the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
OpenSSL is used in popular web servers like Apache and Nginx which are used by an estimated 66% of all active internet sites worldwide. OpenSSL is also used to protect email servers, chat servers, and Virtual Private Networks. It is not known how widespread successful exploits of the Heartbleed have been, because exploits of this bug are virtually impossible to detect.
RBC Enterprise Operational Risk Management 35 8. Zero-Day Vulnerabilities: “Shellshock / Bash”
!!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”!
A vulnerability has been found that affects most versions of the Linux and Unix operating systems, in addition to Mac OS X (which is based on Unix). Known as “ShellShock” or the “Bash Bug,” this vulnerability could allow an attacker to gain complete control over a targeted computer. The bug was discovered by a Unix/Linux specialist at Akamai, and announced to the public in September 2014. The bug has existed in the software for 22 years. Because the bug has existed for such a long period of time, it’s not possible to know how many successful exploits there have been. The vulnerability affects “Bash,” a common component known as a “shell” that appears in many versions of Linux and Unix. Bash acts as a command language interpreter. Bash can also be used to run commands passed to it by applications.
Successful exploitation of Shellshock could enable remote code execution. This could allow an attacker to steal data from a compromised computer, write files, and get access to other computers on an affected network. The Department of Homeland Security’s National Vulnerability Database rates Shellshock a “10” for criticality.
RBC Enterprise Operational Risk Management 36 9. The Problem of Attribution
!!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”!
If a missile destroyed a power plant, tracing where the missile originated from would be easy. However, if a sophisticated cyber attack disabled a power plant, it might take months or even years to attribute the source of the attack, if ever. It is often extremely difficult if not impossible to identify the perpetrators of a cyber attack with a high degree of confidence . Most hackers can successfully mask the source of an intrusion by spoofing IP addresses, making it appear that a cyber attack from one location is actually coming from another.
[Excerpted from “Untangling Attribution: Moving to Accountability in Cyberspace” presented by Robert Knake to the Subcommittee on Technology and Innovation of the US House of Representatives - 7/15/10.]
RBC Enterprise Operational Risk Management 37 10. The Bleeding Edge: Supply Chain Hardware Hacking
!!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”!
The Department of Homeland Security has recently confirmed that it has become aware of electronic equipment that has come preloaded with malware. Security experts are increasingly pointing to internal hardware hacks via the supply chain as potentially as vexing a challenge as external cyber threats. The vulnerability is made acute by the popularity of imported off-the-shelf hardware in both the public and private sectors, which is almost always less expensive than custom built solutions. More than 97% of silicon chips are manufactured outside of the US. There is currently no practical way to inspect them for hardware hacks. Also, no significant alternative domestic source for the chips is likely to emerge, at least not in the foreseeable future. The US is as reliant on imported chips today as it used to be on imported oil (before the advent of fracking). A “Cyberspace Policy Review” conducted by the Obama administration points to supply chain attacks as a very serious problem in the future: “A sophisticated adversary might narrowly focus on particular systems, and make manipulation virtually impossible to discover.” [see Case Study #6 on slide #39]
RBC Enterprise Operational Risk Management 38 Case Study #6: Android Phone Hardware Hack
!!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”!
In 2012, Reuters reported that two Android mobile phone models made by ZTE that used a chip manufactured by a firm that the US alleges has ties to the government of a large Eastern nation came pre-hacked, and were subject to exploitation. If the phones received a specific text message (“ZTEX1609523”), the sender of the message got complete control over the phone, including the ability to read all data stored on the phone, the ability to turn on the phone remotely, and the ability to monitor phone conversations. After the hack became public knowledge, ZTE issued a security patch to negate the exploit. Both ZTE and the chip manufacturer have denied any intentional wrongdoing. The founder of a cyber security firm, said, “I have never seen this before. There are rumors about backdoors in equipment from [the large Eastern nation] floating around. That’s why it’s so shocking to see it blatantly on a device.”
RBC Enterprise Operational Risk Management 39 11. Hackbacks and the Legal Limits of Cyber Self-Defense
!!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”!
The National Security Agency (NSA) described cyber attacks against US companies as the greatest theft of intellectual property in history. So, what can companies do to protect themselves, other than aforementioned three-pronged approach to cyber defense? “Hackbacks.” There are three primary types of hackbacks: 1. Invasive techniques that obtain access to the hacker’s system, and then pursuing a strategy of disabling, destroying, or seizing control over the attacking assets 2. Symmetric counterstrikes which exploit vulnerabilities on the attacker’s system, in an amount proportional to their current attacks 3. Asymmetric counterstrikes which constitute retaliation that is significantly in excess of the attack by the perpetrator However, almost all hackbacks are currently illegal under the “Computer Fraud and Abuse Act,” which makes “knowingly causing the transmission of a program, information, code, or command, and . . . intentionally causing damage . . . to a protected computer” a crime. As the law currently stands, companies using hackbacks might face exposure to both criminal and civil liability. However, it is known that a number of Fortune 500 companies have contracted foreign firms to do hackbacks on their behalf.
RBC Enterprise Operational Risk Management 40 12. Insurance Against Cyber Threats
!!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”!
“Cyber Risk” insurance used to be considered a niche product, but it is becoming increasingly popular. Here are some things to consider when purchasing a policy: • In order to obtain coverage, policies often require companies to bolster their cyber defenses. Meeting these prerequisites may be costly – in some cases, more costly than the policy itself. As such, they also need to be included in your budget. The obvious upside to this is improved cyber security at your firm. • As with any other form of insurance, it’s important to be aware of the restrictions and range of exclusions on the policy: • Some policies cover the costs for things like forensic analysis of cyber attacks, and notifying data breach victims. • Coverage for employee productivity losses, revenue losses, and reputational damage control may not automatically included in Cyber Risk policies. • Many Cyber Risk policies also do not include insurance for cyber attacks against third parties, such as IT vendors or business partners.
So, what are the monetary consequences of a successful Cyber Attack to a targeted firm? [see Case Study #7 on slide #42]
RBC Enterprise Operational Risk Management 41 Case Study #7: The “Target” Hack and the Cost of Cyber Attacks
!!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”!
The costs of cyber attacks will vary widely from company to company, depending on the nature of the attack. But, for illustrative purposes, let’s look at the attack on “Target.” • On November 12, 2013, attackers first breached Target’s computer systems. The intrusion was detected by Target’s security systems, but the company’s security professionals apparently took no action until they were compelled to do so by law enforcement. • After investigating the matter, on December 15, 2013, Target confirmed that malware had been installed on their systems, and PII (Personally Identifiable Information) on as many as 98 million customers had been stolen. • Target said that as of November 1, 2014, it had incurred $248 million in data breach related expenses, including the costs of: • Investigating the breach. • Providing credit monitoring services for impacted customers. • Increasing call center staffing for customer inquiries. • Accruals for fraud losses. • In addition, Target has been the subject of over 100 legal actions, including lawsuits against it from Target’s credit card processors. Some of the legal actions may be settled monetarily. • According to a report issued by Jefferies, the Payment Cards Industry Council (PAIC) may fine Target as much as $400 million. • Target had a $100 million network security insurance policy, with a $10 million deductible. This enabled it to recoup $90 million. RBC Enterprise Operational Risk Management 42
13. Comments from the Head of U.S. Cyber Command
!!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”!
On October 28, 2014, at a speech to the U.S. Chamber of Commerce, Admiral Mike Rogers, who is the Head of U.S. Cyber Command and Director of the NSA, had this to say about the current state of Cyber Threats, and the implications for the private sector:
“Every one of us intellectually knows that this is a significant national security issue that is not going away and that is likely only to get worse…I have said this both internally within the Department of Defense as well as the private sector individuals and organizations I deal with – we have got to move from a focus where almost all our resources are focused on stopping someone from penetrating our networks to an acknowledgement that there is a likelihood that despite our best efforts, we are going to fail. And therefore, remediation and mitigation starts to become really critical. I think we need to shift to a focus on remediation and mitigation.”
RBC Enterprise Operational Risk Management 43 14. Conclusion
!!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”!
The purpose of this presentation was to provide Operational Risk Managers and other non- technologists with a solid overview of the current state of Cyber Threats.
In conclusion, here are some questions to consider:
1. Is senior management in your firm sufficiently informed about Cyber Threats, and are they committed to properly building out and/or adapting your firm’s defenses to the ever-changing Cyber Threat landscape?
2. Cyber Attacks are becoming more sophisticated. Do you think your firm will be able to detect, prevent, and recover from newer, more dangerous attacks going forward?
3. Are enough resources in your firm being allocated to resiliency, remediation, and mitigation, as opposed to prevention?
4. Have you considered buying Cyber Risk Insurance as a way to help mitigate losses?
RBC Enterprise Operational Risk Management 44 15. Contact information
!!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”!
Neil Roth Head of Operational Risk Management for Combined U.S. Operations Royal Bank of Canada 3 World Financial Center – 9th Floor New York, NY 10281
T: 212-428-6247 E: [email protected]
RBC Enterprise Operational Risk Management 45 16. Disclaimer
!!!!!“Cyber!Threats:!An!Overview!for!Opera7onal!Risk!Managers”!
This presentation was prepared exclusively for the benefit of and internal use by the recipient for the purpose of considering the transaction or transactions contemplated herein. This presentation is confidential and proprietary to RBC Capital Markets, LLC (“RBC CM”) and may not be disclosed, reproduced, distributed or used for any other purpose by the recipient without RBCCM’s express written consent. By acceptance of these materials, and notwithstanding any other express or implied agreement, arrangement, or understanding to the contrary, RBC CM, its affiliates and the recipient agree that the recipient (and its employees, representatives, and other agents) may disclose to any and all persons, without limitation of any kind from the commencement of discussions, the tax treatment, structure or strategy of the transaction and any fact that may be relevant to understanding such treatment, structure or strategy, and all materials of any kind (including opinions or other tax analyses) that are provided to the recipient relating to such tax treatment, structure, or strategy. The information and any analyses contained in this presentation are taken from, or based upon, information obtained from the recipient or from publicly available sources, the completeness and accuracy of which has not been independently verified, and cannot be assured by RBC CM. The information and any analyses in these materials reflect prevailing conditions and RBC CM’s views as of this date, all of which are subject to change. To the extent projections and financial analyses are set forth herein, they may be based on estimated financial performance prepared by or in consultation with the recipient and are intended only to suggest reasonable ranges of results. The printed presentation is incomplete without reference to the oral presentation or other written materials that supplement it. IRS Circular 230 Disclosure: RBC CM and its affiliates do not provide tax advice and nothing contained herein should be construed as tax advice. Any discussion of U.S. tax matters contained herein (including any attachments) (i) was not intended or written to be used, and cannot be used, by you for the purpose of avoiding tax penalties; and (ii) was written in connection with the promotion or marketing of the matters addressed herein. Accordingly, you should seek advice based upon your particular circumstances from an independent tax advisor.
RBC Enterprise Operational Risk Management 46