Hacking & Social Engineering Steve Smith, President Innovative Network Solutions, Inc. Presentation Contents Hacking Crisis What is Hacking/Who is a Hacker History of Hacking Why do Hackers hack? Types of Hacking Statistics Infrastructure Trends What should you do after being hacked Proactive Steps Social Engineering Objective What is Social Engineering What are they looking for? Tactics Protecting yourself INS Approach Infrastructure Assessment Network Traffic Assessment Social Engineering Assessment Conclusion Security is Everyone’s Responsibility – See Something, Say Something! Hacking Crisis Internet has grown very fast and security has lagged behind It can be hard to trace a perpetrator of cyber attacks because most are able to camouflage their identities Large scale failures on the internet can have a catastrophic impact on: the economy which relies heavily on electronic transactions human life, when hospitals or government agencies, such as first responders are targeted What is Hacking? The Process of attempting to gain or successfully gaining, unauthorized access to computer resources Who is a Hacker? In the computer security context, a hacker is someone who seeks and exploits weaknesses in a computer system or computer network. History of Hacking Began as early as 1903: Magician and inventor Nevil Maskelyne disrupts John Ambrose Fleming's public demonstration of Guglielmo Marconi's purportedly secure wireless telegraphy technology, sending insulting Morse code messages through the auditorium's projector The term “Hacker” originated in the 1960’s at MIT A network known as ARPANET was founded by the Department of Defense as a means to link government offices. In time, ARPANET evolved into what is today known as the Internet. Hacking began in the 1960s at MIT , origin of the term “hacker”. During the 1980s, hacking was not known amongst the masses as it is presently. To be a hacker was to be a part of a very exclusive and secluded group Hackers have developed methods to exploit security holes in various computer systems Why do hackers hack? Just for fun. Show off. Hack other systems secretly. Notify many people their thought. Steal important information. Destroy enemy’s computer network during the war. Types of Hacking Indiana State and Local Government Residents have entrusted their elected officials and government employees with important data. This includes medical records, tax assessment data, property records, court records, personnel staffing records, criminal justice records, surveying records and more. Unfortunately, there are some governments that may manage their confidential data themselves using old hardware and/or software systems that could make them more vulnerable to cyber threats. This is especially true for those that manage the utilities, creating a situation in which not only information is being stored and at risk, but so is the industrial controls and critical infrastructure. Unlike intrusion into information technology systems, which results in the loss of data, the compromise of industrial control systems can allow attackers to take control of physical infrastructure and mechanical systems. This evolving threat puts complex manufacturing, energy infrastructure, water utilities and petrochemical production systems at risk for attack. In 2012 alone, the U.S. Department of Homeland Security reported nearly 200 attacks on industrial control systems, 40% of which were against energy production and distribution systems. http://www.in.gov/cybersecurity/2529.htm Statistics Q2 2017 Statistics Exploits 184 billion exploit detections 1.8 billion average daily volume 6,298 unique exploit detections 69% of firms saw severe exploits Malware 62 million malware detections 677,000 average daily volume 16,582 variants in 2,534 families 18% of firms saw mobile malware Statistics Q2 2017 Statistics Botnets 2.9 billion botnet detections 32 million average daily volume 243 unique botnets detected 993 daily communications per firm Infrastructure Trends Infrastructure Trends What should you do after being hacked? Shutdown and turn off the system Unplug the network cable from the computer or shutoff the wireless network Report the crime Paying the ransom is no guarantee Contact experts (your IT Department or IT Support Company) Have a Plan B Proactive Steps What can you do? Website Hacking Keep all software up to date (Operating Systems and any software running on the website) SQL Injection - You can easily prevent this by always using parameterized queries XSS (Cross-site scripting) - ensure that users cannot inject active JavaScript content into your pages Error Messages - Provide only minimal errors and error information to your users, to ensure they don't leak potential vulnerabilities present on your server Server side validation/form validation - Validation should always be done both on the browser and server side File Uploads – Do NOT allow. Allowing users to upload files to your website can be a big website security risk, even if it’s simply to change their avatar HTTPS - HTTPS is a protocol used to provide security over the Internet. HTTPS guarantees to users that they're talking to the server they expect, and that nobody else can intercept or change the content they're seeing in transit Website Security Tools - They work on a similar basis to scripts hackers will use in that they test all known exploits and attempt to compromise your site Network Hacking Maintain a strong firewall Conduct regular scans of your network Limit and require secure remote access Enforce antivirus/anti-malware policy If you maintain credit card information, encrypt the data Keep all software up to date (Operating Systems and any software running on the internal systems) Provide and require continual education Ethical Hacking Employ a trusted IT firm Ethical Hacking Services firm to assess your infrastructure Independently test your security processes and controls, to identify all vulnerabilities of your environment with a ranking of their level of risk based on the ease with which they can be exploited Have identified vulnerabilities exploited (often called penetration testing or pentesting) which is performed to demonstrate the consequences when these vulnerabilities were found and exploited by an attacker Review your current risks against your desired risk profile, and then develop a reliable, flexible road map that will help you manage your vulnerabilities Email Security Ensure your firewall has ability to scan inbound email threats Install/Implement Anti-spam and Anti-virus solutions Combine a malware-prevention system that is able to detect zero-day threats Ensure your network is secure/protected to prevent access to your email server Educate your team (continuous) Password Security Do not write your password down Make sure others do not watch you type your password Utilize a password policy that consists of: Minimum number of characters Must use special characters Must use a number Must change your password every X months Cannot use same password until X amount of changed passwords Do not use dictionary words Example: Noah E. Smith N0ah3$m1th Online Banking Security Follow the proactive steps to a secure password Ensure the device you use is adequately secure Avoid using public computers or insecure Wi- Fi connections Be wary of unsolicited messages supposedly coming from your bank Computer Security Employ hardware protection mechanisms USB dongles – to unlock software Computer case intrusion detection Encrypt hard drives Disable USB ports Install Anti-virus and Anti-malware solutions Install local firewall Keep operating system and Anti-virus/Anti-malware software up to date Consider a Two-Factor Authentication solution Do not give personal information over un-encrypted websites Back up your files or save them on a central server Social Engineering Objectives Understand the principles of social engineering Define the goals of social engineering Recognize the signs of social engineering Identify ways to protect yourself from social engineering Security is Everyone's Responsibility – See Something, Say Something! What is Social Engineering At its core it is manipulating a person into knowingly or unknowingly giving up information; essentially 'hacking' into a person to steal valuable information It is a way for criminals to gain access to information systems. The purpose of social engineering is usually to secretly install spyware, other malicious software or to trick persons into handing over passwords and/or other sensitive financial or personal information Social engineering is one of the most effective routes to stealing confidential data from organizations, according to Siemens Enterprise Communications, based in Germany. In a recent Siemens test, 85 percent of office workers were duped by engineering What are they looking for? Obtaining simple information such as your pet's name, where you're from, the places you've visited; information that you'd give out freely to your friends. Think of yourself as a walking computer, full of valuable information about yourself. You've got a name, address, and valuables. Now categorize those items like a business does. Personally identifiable data, financial information, cardholder data, health insurance data, credit reporting data, and so on… Take a close look at some of the 'secure' sites you log into. Some have a 'secret question' you have to answer, if you cannot
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages37 Page
-
File Size-