Cybersecurity: Why the Dark Web Should Be Your Guide - PACB Technology & Operations Conference March 12, 2019
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Cybersecurity: Why the Dark Web Should Be Your Guide PACB Technology & Operations Conference March 12, 2019 Presented by: Jeremy Burris, Principal S.R. Snodgrass, P.C.
About the Speaker Jeremy Burris, Principal S.R. Snodgrass, P.C. CISA, CISSP, MCP, L|PT, CPTS, C|EH, CICP, ECSA, Security+ jburris@srsnodgrass.com Ø Jeremy is a Principal in the Technology Services practice of the S.R. Snodgrass, P.C. Financial Institution Services Group. Ø He worked as a Network Administrator for a Bank for 4 years and has over 20 years of experience in IT. Ø At Snodgrass, Jeremy specializes in security. He performs attack and penetration tests for financial institutions and has numerous certifications and licenses in the area of security.. ©2019 S.R. Snodgrass, P.C. 1
We Will Cover I. What is the Dark Web? A. Definitions B. Uses for the Deep Web vs. the Dark Web C. Interesting facts D. Be extremely cautious if surfing the Dark Web II. What do we need to know about the Dark Web? III. Knowing what we know – how can we use this as a guide? A. Design controls that are “detective” and “reactionary” as opposed to “preventative” B. Example: internet banking over the years C. Educate customers and employees IV. Trending threats/weakest links V. What are regulators looking for in cybersecurity programs? ©2019 S.R. Snodgrass, P.C. 2
First, a disclaimer This presentation is an informational guide to understanding the Dark Web. We recommend you do not surf the Dark Web, and we will not provide information on how to access the Dark Web. ©2019 S.R. Snodgrass, P.C. 3
I. What is the Dark Web? A. Definitions – Deep Web vs. Dark Web The Deep Web is a portion of the internet that is hidden from conventional search engines, as by encryption, and is the aggregate of unindexed websites. The Dark Web is the portion of the internet that is intentionally hidden from search engines, lets users access using masked IP addresses, and is only accessible with a special web browser. So, the Dark Web is part of the Deep Web. https://gbhackers.com ©2019 S.R. Snodgrass, P.C. 4
I. What is the Dark Web? B. Uses for the Deep Web vs. the Dark Web Deep Web usage: 1. Webmail 2. Internet banking 3. Paid services like video/music-on-demand 4. Anything that should be encrypted Dark Web usage: 1. Illegal material 2. Selling illegal things: a) Drugs b) Hacking software c) Counterfeit monies d) Weapon trafficking e) Stolen financial data ©2019 S.R. Snodgrass, P.C. 6
I. What is the Dark Web? POP QUIZ Answer: Deep Web Users cannot simply search for a person’s name and get his or her financial data. Financial information is encrypted and intentionally made to not be indexed by search engines. ©2019 S.R. Snodgrass, P.C. 8
I. What is the Dark Web? POP QUIZ Surface Web, Deep Web, or Dark Web? ©2019 S.R. Snodgrass, P.C. 9
I. What is the Dark Web? POP QUIZ Answer: Dark Web Telltales of this being the Dark Web are the topics and also the URL: .onion. A standard Internet Explorer, Google Chrome, Safari, or Firefox browser is not being used. ©2019 S.R. Snodgrass, P.C. 10
I. What is the Dark Web? POP QUIZ Surface Web, Deep Web, or Dark Web? ©2019 S.R. Snodgrass, P.C. 11
I. What is the Dark Web? POP QUIZ Answer: Surface Web This is a great example (and not just because it’s a wrestling site). At first glance, you might think this is from the Deep Web because it is an https (encrypted) website. However, you can search for “Penn State Wrestling Club” and easily find this webpage. Now, you’ll notice the “login” button. You’d assume the data behind that login would then be “deep web” pages because those would assumedly not be searchable by the search engines. Tricky? Yeah, sometimes. But the point is, it should be pretty clear what pages are from the Dark Web and which are not. ©2019 S.R. Snodgrass, P.C. 12
I. What is the Dark Web? C. Interesting facts 1. We’re all familiar with the vast size of the surface web. Researchers estimate that only 4% of the entire web is visible to the general public. Think of how big that makes the Deep Web!1 2. It is estimated that 57% of the Dark Web is occupied by unauthorized content such as illicit finances, drug hubs, weapon trafficking, and counterfeit currency flow. 1 3. The Tor network is often associated with the Dark Web. There is an actual Tor browser that works off of the principal of “onion” routing: the user’s data is first encrypted and then transferred through different relays which creates layers of security in an attempt to keep the user’s identity safe. Websites accessed using this software end in .onion. 1 https://gbhackers.com ©2019 S.R. Snodgrass, P.C. 13
I. What is the Dark Web? D. Be extremely cautious if surfing the Dark Web Again, we advise you avoid the Dark Web, but if you do browse: 1. Make sure you are anonymous, especially if viewing the Darknet Markets that sell illegal things. Why? Because law enforcement tries to track those on the Dark Web 2. Turn off JavaScript and disconnect or cover your webcam and microphone 3. Never use your real name, real photos, or email address 4. Make sure to use a password you don’t use anywhere else 5. No one on the Dark Web is your friend. Assume everyone is trying to hack your data while you surf 6. If you don’t understand the Dark Web and the security (or lack thereof) involved with it, DON’T go there ©2019 S.R. Snodgrass, P.C. 14
II. What do we need to know about the Dark Web? Thanks to major breaches like the ones listed below, we should assume our personal data and that of our customers is out there “for-sale:”1 1. Marriott (500 million affected customers) 2. eBay (145 million affected customers) 3. Equifax (143 million affected customers) 4. Heartland Payment Systems (134 million affected customers) 5. Target Stores (110 million affected customers) 6. TJX Companies, Inc. (94 million affected customers) 7. Anthem (78.8 million affected customers) 8. Sony’s PlayStation Network (77 million affected customers) 9. JPMorgan Chase (76 million affected customers) 10. Home Depot (56 million affected customers) 1 https://www.csoonline.com ©2019 S.R. Snodgrass, P.C. 15
III. Knowing what we know, how can we use this as a guide? The previous slide’s total is 1.4 billion affected people. And that is only the top 10 listing! To put this into perspective, in 2017, there were 325.7 million people in the United States (according to the U.S. Census Report) and 7.53 billion people in the world. A. Banks should focus just as much on designing controls that are detective and reactionary in nature as they are in designing controls that are preventative. 1. If we assume breaches have already occurred (because they likely have occurred) and assume our data is for sale on the Dark Web (because likely it is), then preventative controls only prevent future breaches (still important for things like newly opened accounts) 2. Detective and reactionary controls will allow banks to detect and respond to misuse of customer information more quickly 3. Let’s face it, we will never be ahead of the hackers, so we need to learn to detect stolen identities and react faster ©2019 S.R. Snodgrass, P.C. 16
III. Knowing what we know, how can we use this as a guide? B. Internet banking over the years (cat and mouse game) 1. In the late 90’s and early 2000’s, internet banking was fairly new. The banking industry started with usernames and passwords only. (Preventative Control) 2. After only a few years, bankers realized fraud was on the rise and that passwords were being stolen too often. So the banking industry’s solution was to do a username, password, and challenge question answer. (Preventative Control) 3. In 2005, the FFIEC released a statement that indicated that challenge questions were no longer working and required Multi-Factor Authentication. (Preventative Control) 4. In 2012, the FFIEC released a supplement to the Multi-Factor Authentication requirement that admitted hackers were even finding ways around that and required daily reviews of high-dollar amount and high frequency transactions to allow for the contacting of the customer for suspicious activity. (Detective and Reactionary Control) 5. Today, most major internet banking companies can now provide reports of potential suspicious activity for banks to act upon. (Detective and Reactionary Control) ©2019 S.R. Snodgrass, P.C. 17
III. Knowing what we know, how can we use this as a guide? B. Internet banking over the years (cat and mouse game) 6. Notice the trend is changing. The first three steps were preventative controls in trying to prevent fraud from occurring. 7. The last two steps are detective and reactionary controls designed to catch the fraud before it posts. By admitting we will never be as good as the hackers, and admitting they will find a way around any preventative controls we put in place, the move towards detective and reactionary controls appears to be in the new approach (and is a very logical one!) A potential banking problem to discuss: 1. Same-day ACH payments a) Very convenient, but what will this do to the above detective and reactionary controls? ©2019 S.R. Snodgrass, P.C. 18
III. Knowing what we know, how can we use this as a guide? C. Customers and employees should be educated on best practices: 1. Check your accounts daily and call the banking institution if there is unauthorized activity 2. Check your credit score at least quarterly 3. Keep up-to-date on security news and best practices as much as possible 4. Read news articles about breaches to learn more about how they are happening 5. Choose to receive alerts. Credit card companies and online banking providers usually offer text or email alerts 6. Be prepared – keep the fraud phone numbers for your credit card companies and banking cards handy and ready ©2019 S.R. Snodgrass, P.C. 19
IV. Trending Threats/Weakest Links A. The human factor (employees and customers) is still by far the weakest link to security 1. Phishing emails 2. Spear-phishing emails 3. Spoofed emails 4. Removable media attacks 5. Phone scams B. Exploits in weaknesses in bank controls 1. Lack of “call-back” features for wire transfers 2. Lack of follow-up on emails dealing with a security-related topic 3. Lack of segregation of duties/dual controls C. General hacking trends 1. Machine learning to assist in hacks 2. Hacking linked to organized crime and nation states 3. Ransomware 4. Internet of Things (IoT) hacks ©2019 S.R. Snodgrass, P.C. 20
V. What are regulators looking for in cybersecurity programs? A. CAT Tool baseline minimum 1. The CAT Tool is not a new, cutting-edge tool or best practice. Most of the items in the CAT Tool have been around for years. What it is, however, is an excellent source for an abundance of best practices with the ability to rank a financial institution’s security posture 2. If you are not meeting baseline security requirements of the CAT Tool, expect to have findings 3. Independent internal vulnerability assessments/penetration tests along with social engineering B. Vendor management (especially cloud vendors) 1. Review of security controls 2. Review of data recovery capabilities 3. Review of storage locations and encryption of data (at rest and in- transit) ©2019 S.R. Snodgrass, P.C. 21
V. What are regulators looking for in cybersecurity programs? C. Miscellaneous topics 1. Data loss prevention 2. Multi-Factor Authentication for remote access 3. Cybersecurity inclusion in the annual security report to the board 4. A link between continuity/disaster recovery planning and the incident response plan (i.e., how do you recover from a cyber attack, such as ransomware or DDOS) 5. Incident response plan (covering different types of scenarios and ensuring there is an annual table-top test of the plan) ©2019 S.R. Snodgrass, P.C. 22
QUESTIONS? ©2019 S.R. Snodgrass, P.C. 23
You can also read