Hacking & Social Engineering - Steve Smith, President Innovative Network Solutions, Inc - Association of Indiana Counties
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Hacking
&
Social Engineering
Steve Smith, President
Innovative Network Solutions, Inc.
Presentation Contents
Hacking
Crisis
What is Hacking/Who is a Hacker
History of Hacking
Why do Hackers hack?
Types of Hacking
Statistics
Infrastructure Trends
What should you do after being hacked
Proactive Steps
Social Engineering
Objective
What is Social Engineering
What are they looking for?
Tactics
Protecting yourself
INS Approach
Infrastructure Assessment
Network Traffic Assessment
Social Engineering Assessment
Conclusion
Security is Everyone’s Responsibility – See Something, Say Something!
Hacking
Crisis
Internet has grown very fast and security has lagged behind
It can be hard to trace a perpetrator of cyber attacks because
most are able to camouflage their identities
Large scale failures on the internet can have a catastrophic
impact on:
the economy which relies heavily on electronic transactions
human life, when hospitals or government agencies, such as first
responders are targeted
What is Hacking?
The Process of attempting to gain or successfully gaining,
unauthorized access to computer resources
Who is a Hacker?
In the computer security context, a hacker is
someone who seeks and exploits weaknesses
in a computer system or computer network.History of Hacking
Began as early as 1903:
Magician and inventor Nevil Maskelyne disrupts John Ambrose Fleming's public
demonstration of Guglielmo Marconi's purportedly secure wireless telegraphy
technology, sending insulting Morse code messages through the auditorium's
projector
The term “Hacker” originated in the 1960’s at MIT
A network known as ARPANET was founded by the Department of
Defense as a means to link government offices. In time, ARPANET
evolved into what is today known as the Internet.
Hacking began in the 1960s at MIT , origin of the term “hacker”.
During the 1980s, hacking was not known amongst the masses as it is
presently. To be a hacker was to be a part of a very exclusive and
secluded group
Hackers have developed methods to exploit security holes in various
computer systemsWhy do hackers hack? Just for fun. Show off. Hack other systems secretly. Notify many people their thought. Steal important information. Destroy enemy’s computer network during the war.
Types of Hacking
Indiana State and Local Government Residents have entrusted their elected officials and government employees with important data. This includes medical records, tax assessment data, property records, court records, personnel staffing records, criminal justice records, surveying records and more. Unfortunately, there are some governments that may manage their confidential data themselves using old hardware and/or software systems that could make them more vulnerable to cyber threats. This is especially true for those that manage the utilities, creating a situation in which not only information is being stored and at risk, but so is the industrial controls and critical infrastructure. Unlike intrusion into information technology systems, which results in the loss of data, the compromise of industrial control systems can allow attackers to take control of physical infrastructure and mechanical systems. This evolving threat puts complex manufacturing, energy infrastructure, water utilities and petrochemical production systems at risk for attack. In 2012 alone, the U.S. Department of Homeland Security reported nearly 200 attacks on industrial control systems, 40% of which were against energy production and distribution systems. http://www.in.gov/cybersecurity/2529.htm
Statistics
Q2 2017 Statistics
Exploits
184 billion exploit detections
1.8 billion average daily volume
6,298 unique exploit detections
69% of firms saw severe exploits
Malware
62 million malware detections
677,000 average daily volume
16,582 variants in 2,534 families
18% of firms saw mobile malwareStatistics
Q2 2017 Statistics
Botnets
2.9 billion botnet detections
32 million average daily volume
243 unique botnets detected
993 daily communications per firmInfrastructure Trends
Infrastructure Trends
What should you do after
being hacked?
Shutdown and turn off the system
Unplug the network cable from the computer or
shutoff the wireless network
Report the crime
Paying the ransom is no guarantee
Contact experts (your IT Department or IT Support
Company)
Have a Plan BProactive Steps What can you do?
Website Hacking Keep all software up to date (Operating Systems and any software running on the website) SQL Injection - You can easily prevent this by always using parameterized queries XSS (Cross-site scripting) - ensure that users cannot inject active JavaScript content into your pages Error Messages - Provide only minimal errors and error information to your users, to ensure they don't leak potential vulnerabilities present on your server Server side validation/form validation - Validation should always be done both on the browser and server side File Uploads – Do NOT allow. Allowing users to upload files to your website can be a big website security risk, even if it’s simply to change their avatar HTTPS - HTTPS is a protocol used to provide security over the Internet. HTTPS guarantees to users that they're talking to the server they expect, and that nobody else can intercept or change the content they're seeing in transit Website Security Tools - They work on a similar basis to scripts hackers will use in that they test all known exploits and attempt to compromise your site
Network Hacking Maintain a strong firewall Conduct regular scans of your network Limit and require secure remote access Enforce antivirus/anti-malware policy If you maintain credit card information, encrypt the data Keep all software up to date (Operating Systems and any software running on the internal systems) Provide and require continual education
Ethical Hacking Employ a trusted IT firm Ethical Hacking Services firm to assess your infrastructure Independently test your security processes and controls, to identify all vulnerabilities of your environment with a ranking of their level of risk based on the ease with which they can be exploited Have identified vulnerabilities exploited (often called penetration testing or pentesting) which is performed to demonstrate the consequences when these vulnerabilities were found and exploited by an attacker Review your current risks against your desired risk profile, and then develop a reliable, flexible road map that will help you manage your vulnerabilities
Email Security Ensure your firewall has ability to scan inbound email threats Install/Implement Anti-spam and Anti-virus solutions Combine a malware-prevention system that is able to detect zero-day threats Ensure your network is secure/protected to prevent access to your email server Educate your team (continuous)
Password Security
Do not write your password down
Make sure others do not watch you type your
password
Utilize a password policy that consists of:
Minimum number of characters
Must use special characters
Must use a number
Must change your password every X months
Cannot use same password until X amount of changed
passwords
Do not use dictionary words
Example: Noah E. Smith
N0ah3$m1thOnline Banking Security Follow the proactive steps to a secure password Ensure the device you use is adequately secure Avoid using public computers or insecure Wi- Fi connections Be wary of unsolicited messages supposedly coming from your bank
Computer Security Employ hardware protection mechanisms USB dongles – to unlock software Computer case intrusion detection Encrypt hard drives Disable USB ports Install Anti-virus and Anti-malware solutions Install local firewall Keep operating system and Anti-virus/Anti-malware software up to date Consider a Two-Factor Authentication solution Do not give personal information over un-encrypted websites Back up your files or save them on a central server
Social Engineering
Objectives
Understand the principles of social
engineering
Define the goals of social engineering
Recognize the signs of social engineering
Identify ways to protect yourself from
social engineering
Security is Everyone's Responsibility – See Something, Say Something!What is Social Engineering At its core it is manipulating a person into knowingly or unknowingly giving up information; essentially 'hacking' into a person to steal valuable information It is a way for criminals to gain access to information systems. The purpose of social engineering is usually to secretly install spyware, other malicious software or to trick persons into handing over passwords and/or other sensitive financial or personal information Social engineering is one of the most effective routes to stealing confidential data from organizations, according to Siemens Enterprise Communications, based in Germany. In a recent Siemens test, 85 percent of office workers were duped by engineering
What are they looking for?
Obtaining simple information such as your pet's name, where you're from, the
places you've visited; information that you'd give out freely to your friends.
Think of yourself as a walking computer, full of valuable information about
yourself. You've got a name, address, and valuables. Now categorize those
items like a business does. Personally identifiable data, financial
information, cardholder data, health insurance data, credit reporting data,
and so on…
Take a close look at some of the 'secure' sites you log into. Some have a 'secret
question' you have to answer, if you cannot remember your username or
password. The questions seem pretty tough for an outsider looking into trying to
hack into your account.
What's the name of your first pet?
What is your maiden name?
When was your mother/father born?
Where were you born?
Do these sound familiar?Tactics 1. Pretexting – Creating a fake scenario 2. Phishing – Send out bait to fool victims into giving away their information 3. Fake Websites – Molded to look like the real thing. Log in with real credentials that are now compromised 4. Fake Pop-up – Pops up in front of real web site to obtain user credentials 5. Physical intrusions
Protecting Yourself
A security aware culture can help employees identify and repel social
engineering attacks
Recognize inappropriate requests for information
Take ownership for corporate security
Understand risk and impact of security breeches
Social engineering attacks are personal
Password management
Two factor authentication
Physical security
Understand what information you are putting on the Web for targeting at social
network sites
Google Twitter
Instagram Facebook
Personal Blogs LinkedInAre You at Risk?
Cyber Security Risk Questionaire
Does your organization have a wireless network, or do employees or customers access your
internal systems from remote locations? NO
Does anyone in your organization take company-owned mobile devices (e.g.laptops,
smartphones, and USB drives) with them, either home or when travelling? NO
Does your organization use Cloud-based software or storage? NO
Does your organization have a “bring your own device” (BYOD) policy that allows employees to
use personal devices for business use or on a company network? NO
Are any employees allowed access to administrative privileges on your network or computers? NO
Does your organization have critical operational systems connected to a public network? NO
Does anyone in your organization use computers to access bank accounts or initiate money
transfers? NO
Does your organization store sensitive information (e.g. financial reports, trade secrets,
intellectual property and product designs) that could potentially compromise your organization if
stolen? NO
Does your organization digitally store the personally identifiable information (PII) of employees
or customers? This can include government-issued ID numbers and financial information. NO
Is your organization part of a supply chain, or do you have supply chain partners? NO
Does your organization conduct business in foreign countries, either physically or online? NO
Has your organization ever failed to enforce policies around the acceptable use of computers,
email, the Internet, etc.? NO
Can the general public access your organization’s building without the use of an ID card? NO
Is network security training for employees optional at your organization? NO
Can employees use their computers or company-issued devices indefinitely without updating
passwords? NO
Has your IT department ever failed to install antivirus software or perform regular vulnerability
checks? NO
Can employees dispose of sensitive information in unsecured bins? NO
Would your organization lose critical information in the event of a system failure or other
network disaster? NO
Can employees easily see what co-workers are doing on their computers? NO
Has your organization neglected to review its data security or cyber security policies and
procedures within the last year? NO
Risk Assessment: Low Risk
Levels of Risk: Low, Moderate, High, EscalatedINS Approach Infrastructure Assessment Network Traffic Assessment Social Engineering Assessment Guide for Cybersecurity Event Recovery
Infrastructure Assessment
The Infrastructure Assessment/Penetrations non-intrusive and goes way
beyond just network discovery and documentation to provide real "value-
added intelligence". Our data collectors compare multiple data points to
uncover hard to detect issues, measure risk based on impact to the network,
suggest recommended fixes, and track remediation progress.
27 Reports including:
Network Assessment Detail, Client Risks, Network Management
Plan, Full Network Assessment, Network Site Diagram, Asset Detail,
Excel Analysis Export, Security Assessment, Network Security Risk
Review, Network Security Management Plan, External Vulnerabilities
Scan Detail, Outbound Security, Security Policy Assessment, Share
Permission, User Permissions, User Behavior Analysis, Login History
by Computer, Login Failures by Computer, Exchange Assessment,
Exchange Management Plan, Exchange Traffic and Use, Exchange
Mailbox Detail, Exchange Distribution Lists, Exchange Mailbox
Permissions by Mailbox, Exchange Mailbox Permissions by User,
Exchange Excel Export, Exchange Mobile Device ReportNetwork Traffic
Assessment
App Intelligence, Control and Visualization
Top Apps by Risk Level
Top Apps by Category
Top Apps by Bandwidth
Threat Prevention
Botnet
Top Exploitation Attempts
Network Traffic
Top URL Categories
Top Application Categories by Bandwidth
Top Country by Traffic
Top Session Usage by IP
Top Traffic Usage by IP
Top User Sessions
Top User TrafficSocial Engineering Web Spoof Mock website looks identical Different URL Request username and password Phone Spoof Impersonate IT personnel Explain the “scam” Request the username and password Email Spoof Impersonate email from IT leader or executive Request user to click on link to website Perform items included in the “Web Spoof”
Guide for Recovery
Cybersecurity Event
In light of an increasing number of cybersecurity events,
organizations can improve resilience by ensuring that their risk
management processes include comprehensive recovery planning.
Identifying and prioritizing organization resources helps to guide
effective plans and realistic test scenarios. This preparation enables
rapid recovery from incidents when they occur and helps to minimize
the impact on the organization and its constituents.
Additionally, continually improving recovery planning by learning
lessons from past events, including those of other organizations,
helps to ensure the continuity of important mission functions.
This guide provides tactical and strategic guidance regarding the
planning, playbook developing, testing, and improvement of
recovery planning.Conclusion
Cybercrime is a for-profit business generating billions in
revenue. Cybercriminals are highly motivated and will use
whatever means they have to gain access to your critical
data
Ransomware is not new, but its recent rise in
sophistication and distribution is an escalated trend to find
ways to exploit individuals and businesses
Security is not something you add to your business, it is
integral to doing business
Make sure you are partnering with security experts who
understand that security is more than a device. It is:
A system of highly integrated technologies
Combined with an effective policy
A lifecycle approach of preparing, protecting, detecting,
responding, and learningSecurity is Everyone’s
Responsibility – See
Something, Say Something!
Questions? Please contact:
steve.smith@i-netsol.com bob.Kelley@i-netsol.comYou can also read
