Hacking & Social Engineering - Steve Smith, President Innovative Network Solutions, Inc - Association of Indiana Counties

Page created by Jill Collins
 
CONTINUE READING
Hacking & Social Engineering - Steve Smith, President Innovative Network Solutions, Inc - Association of Indiana Counties
Hacking
        &
Social Engineering

  Steve Smith, President
Innovative Network Solutions, Inc.
Hacking & Social Engineering - Steve Smith, President Innovative Network Solutions, Inc - Association of Indiana Counties
Presentation Contents
         Hacking
              Crisis
              What is Hacking/Who is a Hacker
              History of Hacking
              Why do Hackers hack?
              Types of Hacking
              Statistics
              Infrastructure Trends
              What should you do after being hacked
              Proactive Steps
         Social Engineering
              Objective
              What is Social Engineering
              What are they looking for?
              Tactics
              Protecting yourself
         INS Approach
            Infrastructure Assessment
            Network Traffic Assessment
            Social Engineering Assessment
         Conclusion
Hacking & Social Engineering - Steve Smith, President Innovative Network Solutions, Inc - Association of Indiana Counties
Security is Everyone’s
   Responsibility – See
Something, Say Something!
Hacking & Social Engineering - Steve Smith, President Innovative Network Solutions, Inc - Association of Indiana Counties
Hacking
Hacking & Social Engineering - Steve Smith, President Innovative Network Solutions, Inc - Association of Indiana Counties
Crisis
 Internet has grown very fast and security has lagged behind
 It can be hard to trace a perpetrator of cyber attacks because
  most are able to camouflage their identities
 Large scale failures on the internet can have a catastrophic
  impact on:
    the economy which relies heavily on electronic transactions
    human life, when hospitals or government agencies, such as first
     responders are targeted
Hacking & Social Engineering - Steve Smith, President Innovative Network Solutions, Inc - Association of Indiana Counties
What is Hacking?
The Process of attempting to gain or successfully gaining,
unauthorized access to computer resources

        Who is a Hacker?
 In the computer security context, a hacker is
 someone who seeks and exploits weaknesses
 in a computer system or computer network.
History of Hacking
 Began as early as 1903:
     Magician and inventor Nevil Maskelyne disrupts John Ambrose Fleming's public
      demonstration of Guglielmo Marconi's purportedly secure wireless telegraphy
      technology, sending insulting Morse code messages through the auditorium's
      projector
 The term “Hacker” originated in the 1960’s at MIT
 A network known as ARPANET was founded by the Department of
  Defense as a means to link government offices. In time, ARPANET
  evolved into what is today known as the Internet.
 Hacking began in the 1960s at MIT , origin of the term “hacker”.
 During the 1980s, hacking was not known amongst the masses as it is
  presently. To be a hacker was to be a part of a very exclusive and
  secluded group
 Hackers have developed methods to exploit security holes in various
  computer systems
Why do hackers hack?
   Just for fun.
   Show off.
   Hack other systems secretly.
   Notify many people their thought.
   Steal important information.
   Destroy enemy’s computer network during the war.
Types of Hacking
Indiana State and Local Government
Residents have entrusted their elected officials and government employees with
important data. This includes medical records, tax assessment data, property
records, court records, personnel staffing records, criminal justice records,
surveying records and more.

Unfortunately, there are some governments that may manage their confidential data
themselves using old hardware and/or software systems that could make them
more vulnerable to cyber threats. This is especially true for those that manage the
utilities, creating a situation in which not only information is being stored and at risk,
but so is the industrial controls and critical infrastructure.

Unlike intrusion into information technology systems, which results in the loss of
data, the compromise of industrial control systems can allow attackers to take
control of physical infrastructure and mechanical systems. This evolving threat puts
complex manufacturing, energy infrastructure, water utilities and petrochemical
production systems at risk for attack. In 2012 alone, the U.S. Department of
Homeland Security reported nearly 200 attacks on industrial control systems,
40% of which were against energy production and distribution systems.

http://www.in.gov/cybersecurity/2529.htm
Statistics
 Q2 2017 Statistics
    Exploits
          184 billion exploit detections
          1.8 billion average daily volume
          6,298 unique exploit detections
          69% of firms saw severe exploits

    Malware
          62 million malware detections
          677,000 average daily volume
          16,582 variants in 2,534 families
          18% of firms saw mobile malware
Statistics
 Q2 2017 Statistics
    Botnets
          2.9 billion botnet detections
          32 million average daily volume
          243 unique botnets detected
          993 daily communications per firm
Infrastructure Trends
Infrastructure Trends
What should you do after
    being hacked?
 Shutdown and turn off the system
 Unplug the network cable from the computer or
  shutoff the wireless network
 Report the crime
 Paying the ransom is no guarantee
 Contact experts (your IT Department or IT Support
  Company)
 Have a Plan B
Proactive Steps

 What can you do?
Website Hacking
 Keep all software up to date (Operating Systems and any software running
  on the website)
 SQL Injection - You can easily prevent this by always using parameterized
  queries
 XSS (Cross-site scripting) - ensure that users cannot inject active JavaScript
  content into your pages
 Error Messages - Provide only minimal errors and error information to your
  users, to ensure they don't leak potential vulnerabilities present on your
  server
 Server side validation/form validation - Validation should always be done
  both on the browser and server side
 File Uploads – Do NOT allow. Allowing users to upload files to your website
  can be a big website security risk, even if it’s simply to change their avatar
 HTTPS - HTTPS is a protocol used to provide security over the Internet.
  HTTPS guarantees to users that they're talking to the server they expect,
  and that nobody else can intercept or change the content they're seeing in
  transit
 Website Security Tools - They work on a similar basis to scripts hackers will
  use in that they test all known exploits and attempt to compromise your site
Network Hacking
 Maintain a strong firewall
 Conduct regular scans of your network
 Limit and require secure remote access
 Enforce antivirus/anti-malware policy
 If you maintain credit card information, encrypt the
  data
 Keep all software up to date (Operating Systems and
  any software running on the internal systems)
 Provide and require continual education
Ethical Hacking
 Employ a trusted IT firm Ethical Hacking Services firm to
  assess your infrastructure
 Independently test your security processes and controls, to
  identify all vulnerabilities of your environment with a
  ranking of their level of risk based on the ease with which
  they can be exploited
 Have identified vulnerabilities exploited (often called
  penetration testing or pentesting) which is performed to
  demonstrate the consequences when these vulnerabilities
  were found and exploited by an attacker
 Review your current risks against your desired risk profile,
  and then develop a reliable, flexible road map that will help
  you manage your vulnerabilities
Email Security
 Ensure your firewall has ability to scan
  inbound email threats
 Install/Implement Anti-spam and Anti-virus
  solutions
 Combine a malware-prevention system that
  is able to detect zero-day threats
 Ensure your network is secure/protected to
  prevent access to your email server
 Educate your team (continuous)
Password Security
 Do not write your password down
 Make sure others do not watch you type your
  password
 Utilize a password policy that consists of:
    Minimum number of characters
    Must use special characters
    Must use a number
    Must change your password every X months
    Cannot use same password until X amount of changed
     passwords
    Do not use dictionary words

   Example: Noah E. Smith
      N0ah3$m1th
Online Banking Security
Follow the proactive steps to a secure
 password
 Ensure the device you use is adequately
  secure
 Avoid using public computers or insecure Wi-
  Fi connections
 Be wary of unsolicited messages supposedly
  coming from your bank
Computer Security
 Employ hardware protection mechanisms
      USB dongles – to unlock software
      Computer case intrusion detection
      Encrypt hard drives
      Disable USB ports
 Install Anti-virus and Anti-malware solutions
 Install local firewall
 Keep operating system and Anti-virus/Anti-malware
  software up to date
 Consider a Two-Factor Authentication solution
 Do not give personal information over un-encrypted
  websites
 Back up your files or save them on a central server
Social
Engineering
Objectives
Understand the principles of social
 engineering
Define the goals of social engineering
Recognize the signs of social engineering
Identify ways to protect yourself from
 social engineering
      Security is Everyone's Responsibility – See Something, Say Something!
What is Social Engineering
 At its core it is manipulating a person into knowingly or unknowingly
  giving up information; essentially 'hacking' into a person to steal
  valuable information
 It is a way for criminals to gain access to information systems. The
  purpose of social engineering is usually to secretly install spyware,
  other malicious software or to trick persons into handing over
  passwords and/or other sensitive financial or personal information
 Social engineering is one of the most effective routes to stealing
  confidential data from organizations, according to Siemens Enterprise
  Communications, based in Germany. In a recent Siemens test, 85
  percent of office workers were duped by engineering
What are they looking for?
 Obtaining simple information such as your pet's name, where you're from, the
  places you've visited; information that you'd give out freely to your friends.
 Think of yourself as a walking computer, full of valuable information about
  yourself. You've got a name, address, and valuables. Now categorize those
  items like a business does. Personally identifiable data, financial
  information, cardholder data, health insurance data, credit reporting data,
  and so on…
 Take a close look at some of the 'secure' sites you log into. Some have a 'secret
  question' you have to answer, if you cannot remember your username or
  password. The questions seem pretty tough for an outsider looking into trying to
  hack into your account.
              What's the name of your first pet?
              What is your maiden name?
              When was your mother/father born?
              Where were you born?
                               Do these sound familiar?
Tactics
1. Pretexting – Creating a fake scenario

2. Phishing – Send out bait to fool victims into giving
   away their information

3. Fake Websites – Molded to look like the real thing.
   Log in with real credentials that are now compromised

4. Fake Pop-up – Pops up in front of real web site to
   obtain user credentials

5. Physical intrusions
Protecting Yourself
A security aware culture can help employees identify and repel social
engineering attacks

       Recognize inappropriate requests for information
       Take ownership for corporate security
       Understand risk and impact of security breeches
       Social engineering attacks are personal
       Password management
       Two factor authentication
       Physical security
       Understand what information you are putting on the Web for targeting at social
        network sites
                      Google             Twitter
                      Instagram          Facebook
                      Personal Blogs LinkedIn
Are You at Risk?
                                  Cyber Security Risk Questionaire
Does your organization have a wireless network, or do employees or customers access your
internal systems from remote locations?                                                               NO
Does anyone in your organization take company-owned mobile devices (e.g.laptops,
smartphones, and USB drives) with them, either home or when travelling?                               NO
Does your organization use Cloud-based software or storage?                                           NO
Does your organization have a “bring your own device” (BYOD) policy that allows employees to
use personal devices for business use or on a company network?                                        NO

Are any employees allowed access to administrative privileges on your network or computers?           NO
Does your organization have critical operational systems connected to a public network?               NO
Does anyone in your organization use computers to access bank accounts or initiate money
transfers?                                                                                            NO
Does your organization store sensitive information (e.g. financial reports, trade secrets,
intellectual property and product designs) that could potentially compromise your organization if
stolen?                                                                                               NO

Does your organization digitally store the personally identifiable information (PII) of employees
or customers? This can include government-issued ID numbers and financial information.                NO
Is your organization part of a supply chain, or do you have supply chain partners?                    NO
Does your organization conduct business in foreign countries, either physically or online?            NO
Has your organization ever failed to enforce policies around the acceptable use of computers,
email, the Internet, etc.?                                                                            NO
Can the general public access your organization’s building without the use of an ID card?             NO
Is network security training for employees optional at your organization?                             NO
Can employees use their computers or company-issued devices indefinitely without updating
passwords?                                                                                            NO
Has your IT department ever failed to install antivirus software or perform regular vulnerability
checks?                                                                                               NO
Can employees dispose of sensitive information in unsecured bins?                                     NO
Would your organization lose critical information in the event of a system failure or other
network disaster?                                                                                     NO
Can employees easily see what co-workers are doing on their computers?                                NO
Has your organization neglected to review its data security or cyber security policies and
procedures within the last year?                                                                      NO

                                                                           Risk Assessment:         Low Risk

                               Levels of Risk: Low, Moderate, High, Escalated
INS Approach
 Infrastructure Assessment

 Network Traffic Assessment

 Social Engineering Assessment

 Guide for Cybersecurity Event Recovery
Infrastructure Assessment
 The Infrastructure Assessment/Penetrations non-intrusive and goes way
  beyond just network discovery and documentation to provide real "value-
  added intelligence". Our data collectors compare multiple data points to
  uncover hard to detect issues, measure risk based on impact to the network,
  suggest recommended fixes, and track remediation progress.

 27 Reports including:
       Network Assessment Detail, Client Risks, Network Management
       Plan, Full Network Assessment, Network Site Diagram, Asset Detail,
       Excel Analysis Export, Security Assessment, Network Security Risk
       Review, Network Security Management Plan, External Vulnerabilities
       Scan Detail, Outbound Security, Security Policy Assessment, Share
       Permission, User Permissions, User Behavior Analysis, Login History
       by Computer, Login Failures by Computer, Exchange Assessment,
       Exchange Management Plan, Exchange Traffic and Use, Exchange
       Mailbox Detail, Exchange Distribution Lists, Exchange Mailbox
       Permissions by Mailbox, Exchange Mailbox Permissions by User,
       Exchange Excel Export, Exchange Mobile Device Report
Network Traffic
                       Assessment
 App Intelligence, Control and Visualization
     Top Apps by Risk Level
     Top Apps by Category
     Top Apps by Bandwidth
 Threat Prevention
     Botnet
     Top Exploitation Attempts
 Network Traffic
       Top URL Categories
       Top Application Categories by Bandwidth
       Top Country by Traffic
       Top Session Usage by IP
       Top Traffic Usage by IP
       Top User Sessions
       Top User Traffic
Social Engineering
 Web Spoof
    Mock website looks identical
    Different URL
    Request username and password
 Phone Spoof
    Impersonate IT personnel
    Explain the “scam”
    Request the username and password
 Email Spoof
    Impersonate email from IT leader or executive
    Request user to click on link to website
    Perform items included in the “Web Spoof”
Guide for Recovery
           Cybersecurity Event
 In light of an increasing number of cybersecurity events,
  organizations can improve resilience by ensuring that their risk
  management processes include comprehensive recovery planning.
 Identifying and prioritizing organization resources helps to guide
  effective plans and realistic test scenarios. This preparation enables
  rapid recovery from incidents when they occur and helps to minimize
  the impact on the organization and its constituents.
 Additionally, continually improving recovery planning by learning
  lessons from past events, including those of other organizations,
  helps to ensure the continuity of important mission functions.
 This guide provides tactical and strategic guidance regarding the
  planning, playbook developing, testing, and improvement of
  recovery planning.
Conclusion
 Cybercrime is a for-profit business generating billions in
  revenue. Cybercriminals are highly motivated and will use
  whatever means they have to gain access to your critical
  data
 Ransomware is not new, but its recent rise in
  sophistication and distribution is an escalated trend to find
  ways to exploit individuals and businesses
 Security is not something you add to your business, it is
  integral to doing business
 Make sure you are partnering with security experts who
  understand that security is more than a device. It is:
    A system of highly integrated technologies
    Combined with an effective policy
    A lifecycle approach of preparing, protecting, detecting,
     responding, and learning
Security is Everyone’s
   Responsibility – See
Something, Say Something!

                    Questions? Please contact:
 steve.smith@i-netsol.com                   bob.Kelley@i-netsol.com
You can also read