Cybersecurity: Why the Dark Web Should Be Your Guide - PACB Technology & Operations Conference March 12, 2019
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Cybersecurity: Why the Dark Web
Should Be Your Guide
PACB Technology & Operations Conference
March 12, 2019
Presented by:
Jeremy Burris, Principal
S.R. Snodgrass, P.C.
About the Speaker
Jeremy Burris, Principal
S.R. Snodgrass, P.C.
CISA, CISSP, MCP, L|PT, CPTS, C|EH, CICP, ECSA, Security+
jburris@srsnodgrass.com
Ø Jeremy is a Principal in the Technology Services practice of the
S.R. Snodgrass, P.C. Financial Institution Services Group.
Ø He worked as a Network Administrator for a Bank for 4 years and
has over 20 years of experience in IT.
Ø At Snodgrass, Jeremy specializes in security. He performs attack
and penetration tests for financial institutions and has numerous
certifications and licenses in the area of security..
©2019 S.R. Snodgrass, P.C. 1
We Will Cover
I. What is the Dark Web?
A. Definitions
B. Uses for the Deep Web vs. the Dark Web
C. Interesting facts
D. Be extremely cautious if surfing the Dark Web
II. What do we need to know about the Dark Web?
III. Knowing what we know – how can we use this as a guide?
A. Design controls that are “detective” and “reactionary” as
opposed to “preventative”
B. Example: internet banking over the years
C. Educate customers and employees
IV. Trending threats/weakest links
V. What are regulators looking for in cybersecurity programs?
©2019 S.R. Snodgrass, P.C. 2
First, a disclaimer
This presentation is an informational guide to understanding the
Dark Web. We recommend you do not surf the Dark Web, and we
will not provide information on how to access the Dark Web.
©2019 S.R. Snodgrass, P.C. 3
I. What is the Dark Web?
A. Definitions – Deep Web vs. Dark Web
The Deep Web is a portion of the internet that is hidden from
conventional search engines, as by encryption, and is the
aggregate of unindexed websites.
The Dark Web is the portion of the internet that is
intentionally hidden from search engines, lets users access
using masked IP addresses, and is only accessible with a
special web browser.
So, the Dark Web is part of the Deep Web.
https://gbhackers.com
©2019 S.R. Snodgrass, P.C. 4
I. What is the Dark Web? darkwebnews.com ©2019 S.R. Snodgrass, P.C. 5
I. What is the Dark Web?
B. Uses for the Deep Web vs. the Dark Web
Deep Web usage:
1. Webmail
2. Internet banking
3. Paid services like video/music-on-demand
4. Anything that should be encrypted
Dark Web usage:
1. Illegal material
2. Selling illegal things:
a) Drugs
b) Hacking software
c) Counterfeit monies
d) Weapon trafficking
e) Stolen financial data
©2019 S.R. Snodgrass, P.C. 6
I. What is the Dark Web? POP QUIZ
Surface Web, Deep Web, or Dark Web?
©2019 S.R. Snodgrass, P.C. 7I. What is the Dark Web? POP QUIZ
Answer: Deep Web
Users cannot simply search for a person’s name and get his or her
financial data. Financial information is encrypted and intentionally
made to not be indexed by search engines.
©2019 S.R. Snodgrass, P.C. 8I. What is the Dark Web? POP QUIZ
Surface Web, Deep Web, or Dark Web?
©2019 S.R. Snodgrass, P.C. 9I. What is the Dark Web? POP QUIZ
Answer: Dark Web
Telltales of this being the Dark Web are the topics and also the
URL: .onion. A standard Internet Explorer, Google Chrome, Safari, or
Firefox browser is not being used.
©2019 S.R. Snodgrass, P.C. 10I. What is the Dark Web? POP QUIZ
Surface Web, Deep Web, or Dark Web?
©2019 S.R. Snodgrass, P.C. 11I. What is the Dark Web? POP QUIZ
Answer: Surface Web
This is a great example (and not just because it’s a wrestling site). At
first glance, you might think this is from the Deep Web because it is an
https (encrypted) website. However, you can search for “Penn State
Wrestling Club” and easily find this webpage.
Now, you’ll notice the “login” button. You’d assume the data behind
that login would then be “deep web” pages because those would
assumedly not be searchable by the search engines.
Tricky? Yeah, sometimes. But the point is, it should be pretty clear
what pages are from the Dark Web and which are not.
©2019 S.R. Snodgrass, P.C. 12I. What is the Dark Web?
C. Interesting facts
1. We’re all familiar with the vast size of the surface web. Researchers
estimate that only 4% of the entire web is visible to the general
public. Think of how big that makes the Deep Web!1
2. It is estimated that 57% of the Dark Web is occupied by
unauthorized content such as illicit finances, drug hubs, weapon
trafficking, and counterfeit currency flow. 1
3. The Tor network is often associated with the Dark Web. There is an
actual Tor browser that works off of the principal of “onion” routing:
the user’s data is first encrypted and then transferred through
different relays which creates layers of security in an attempt to
keep the user’s identity safe. Websites accessed using this software
end in .onion.
1 https://gbhackers.com
©2019 S.R. Snodgrass, P.C. 13I. What is the Dark Web?
D. Be extremely cautious if surfing the Dark Web
Again, we advise you avoid the Dark Web, but if you do browse:
1. Make sure you are anonymous, especially if viewing the
Darknet Markets that sell illegal things. Why? Because law
enforcement tries to track those on the Dark Web
2. Turn off JavaScript and disconnect or cover your webcam
and microphone
3. Never use your real name, real photos, or email address
4. Make sure to use a password you don’t use anywhere else
5. No one on the Dark Web is your friend. Assume everyone is
trying to hack your data while you surf
6. If you don’t understand the Dark Web and the security (or
lack thereof) involved with it, DON’T go there
©2019 S.R. Snodgrass, P.C. 14II. What do we need to know about the Dark Web?
Thanks to major breaches like the ones listed below, we should assume our
personal data and that of our customers is out there “for-sale:”1
1. Marriott (500 million affected customers)
2. eBay (145 million affected customers)
3. Equifax (143 million affected customers)
4. Heartland Payment Systems (134 million affected customers)
5. Target Stores (110 million affected customers)
6. TJX Companies, Inc. (94 million affected customers)
7. Anthem (78.8 million affected customers)
8. Sony’s PlayStation Network (77 million affected customers)
9. JPMorgan Chase (76 million affected customers)
10. Home Depot (56 million affected customers)
1 https://www.csoonline.com
©2019 S.R. Snodgrass, P.C. 15III. Knowing what we know, how can we use this as a guide?
The previous slide’s total is 1.4 billion affected people. And that is only
the top 10 listing! To put this into perspective, in 2017, there were
325.7 million people in the United States (according to the U.S.
Census Report) and 7.53 billion people in the world.
A. Banks should focus just as much on designing controls that
are detective and reactionary in nature as they are in
designing controls that are preventative.
1. If we assume breaches have already occurred (because they likely have
occurred) and assume our data is for sale on the Dark Web (because
likely it is), then preventative controls only prevent future breaches (still
important for things like newly opened accounts)
2. Detective and reactionary controls will allow banks to detect and respond
to misuse of customer information more quickly
3. Let’s face it, we will never be ahead of the hackers, so we need to learn
to detect stolen identities and react faster
©2019 S.R. Snodgrass, P.C. 16III. Knowing what we know, how can we use this as a guide?
B. Internet banking over the years (cat and mouse game)
1. In the late 90’s and early 2000’s, internet banking was fairly new. The
banking industry started with usernames and passwords only.
(Preventative Control)
2. After only a few years, bankers realized fraud was on the rise and that
passwords were being stolen too often. So the banking industry’s
solution was to do a username, password, and challenge question
answer. (Preventative Control)
3. In 2005, the FFIEC released a statement that indicated that challenge
questions were no longer working and required Multi-Factor
Authentication. (Preventative Control)
4. In 2012, the FFIEC released a supplement to the Multi-Factor
Authentication requirement that admitted hackers were even finding
ways around that and required daily reviews of high-dollar amount and
high frequency transactions to allow for the contacting of the customer
for suspicious activity. (Detective and Reactionary Control)
5. Today, most major internet banking companies can now provide reports
of potential suspicious activity for banks to act upon.
(Detective and Reactionary Control)
©2019 S.R. Snodgrass, P.C. 17III. Knowing what we know, how can we use this as a guide?
B. Internet banking over the years (cat and mouse game)
6. Notice the trend is changing. The first three steps were preventative
controls in trying to prevent fraud from occurring.
7. The last two steps are detective and reactionary controls designed to
catch the fraud before it posts.
By admitting we will never be as good as the hackers, and admitting they
will find a way around any preventative controls we put in place, the move
towards detective and reactionary controls appears to be in the new
approach (and is a very logical one!)
A potential banking problem to discuss:
1. Same-day ACH payments
a) Very convenient, but what will this do to the above detective and
reactionary controls?
©2019 S.R. Snodgrass, P.C. 18III. Knowing what we know, how can we use this as a guide?
C. Customers and employees should be educated on best
practices:
1. Check your accounts daily and call the banking institution if there is
unauthorized activity
2. Check your credit score at least quarterly
3. Keep up-to-date on security news and best practices as much as
possible
4. Read news articles about breaches to learn more about how they are
happening
5. Choose to receive alerts. Credit card companies and online banking
providers usually offer text or email alerts
6. Be prepared – keep the fraud phone numbers for your credit card
companies and banking cards handy and ready
©2019 S.R. Snodgrass, P.C. 19IV. Trending Threats/Weakest Links
A. The human factor (employees and customers) is still by far the
weakest link to security
1. Phishing emails
2. Spear-phishing emails
3. Spoofed emails
4. Removable media attacks
5. Phone scams
B. Exploits in weaknesses in bank controls
1. Lack of “call-back” features for wire transfers
2. Lack of follow-up on emails dealing with a security-related topic
3. Lack of segregation of duties/dual controls
C. General hacking trends
1. Machine learning to assist in hacks
2. Hacking linked to organized crime and nation states
3. Ransomware
4. Internet of Things (IoT) hacks
©2019 S.R. Snodgrass, P.C. 20V. What are regulators looking for in cybersecurity programs?
A. CAT Tool baseline minimum
1. The CAT Tool is not a new, cutting-edge tool or best practice. Most of
the items in the CAT Tool have been around for years. What it is,
however, is an excellent source for an abundance of best practices
with the ability to rank a financial institution’s security posture
2. If you are not meeting baseline security requirements of the CAT Tool,
expect to have findings
3. Independent internal vulnerability assessments/penetration tests
along with social engineering
B. Vendor management (especially cloud vendors)
1. Review of security controls
2. Review of data recovery capabilities
3. Review of storage locations and encryption of data (at rest and in-
transit)
©2019 S.R. Snodgrass, P.C. 21V. What are regulators looking for in cybersecurity programs?
C. Miscellaneous topics
1. Data loss prevention
2. Multi-Factor Authentication for remote access
3. Cybersecurity inclusion in the annual security report to the board
4. A link between continuity/disaster recovery planning and the incident
response plan (i.e., how do you recover from a cyber attack, such as
ransomware or DDOS)
5. Incident response plan (covering different types of scenarios and
ensuring there is an annual table-top test of the plan)
©2019 S.R. Snodgrass, P.C. 22QUESTIONS?
©2019 S.R. Snodgrass, P.C. 23You can also read
