Presented by:
Danny Timmins, National Cyber Security Leader
2017
Protect Your Properties from Cyber Attacks!
Cyber Security MNP Technology Solutions
MNP Cyber Security Presentation
Page 2
• Cyber Security Overview
• Cyber Crime Tactics and Techniques
o Hacking (Penetration Testing)
o Social Engineering (Malware/Crimeware)
o Red Teaming
• Considerations
Page 3
Lessons from the field
• Canada’s 5th Largest
Accounting | Tax |
Consulting
• 4500 Team Members
• 80 Offices coast to
coast
• 55 Cyber Security
Professionals Nationally
Page 4
MNP is more than an Accounting Firm
• Digital Strategy
• Portal Development
• Business Continuity
• Workplace Collaboration
• CRM/ERP
• Cloud Strategy
• Operational Technology
• IoT
• Cyber Security & Risk
• Data Analytics
• DevOps
• Auditing
Page 5
Predictions
➢99% of vulnerabilities exploited will continue to be the ones
known by security/IT professionals.
➢The single most impactful enterprise activity to improve
security will be patching.
➢The second most impactful enterprise activity to improve
security will be removing web server vulnerabilities.
Page 6
Predictions
➢Internet of Things will grow to an installed base of 20.4 billion.
➢A third of successful attacks experienced will be on their
shadow IT resources.
➢Companies are using more than 15 times more cloud services
to store critical company data than CIOs were aware of.
➢Nearly eight in ten (77%) of decision makers admit to using a
third-party cloud application without approval.
Page 7
Damages have started to increase in Canada - Casino Rama
is an example of damages increasing ….30+ Million
Canada’s new privacy laws will require breach notice and
affect private sector operations in Canada. (Digital Privacy
Act)…do you know your data
Cyber Insurance…how much do you need …is it focused on
the correct areas
What’s happening in the
industry?
Page 8
Mandatory cyber audits coming for publicly traded companies
in Canada…. US is pushing hard – its coming
Payment Card Industry (PCI) already has compliancy. IE: Best
Western Motels - have been targeted-very limited security
Equifax 140M plus - 100+ thousand in Canada….patch
management said to be the issue…mishandled from the start
of the breach…directing clients to a phishing site
What’s happening in the
industry?
Page 9
Who are Behind Cyber Attacks?
**89% of breaches had financial or espionage motive
• Nation States
• Organized Hackers
• Non-Organized Hacker
• Employee: Technical
• Employee: Business
• Malicious Former Employee
Page 10
10
Cyber Security Building AssessmentAssess:- Perform a cyber security health check which includes building network
systems
- Do an inventory of assets
Detect:- Try to comprise facility physically
- Perform Phishing testing (email, wireless)
- Assess which devices are accessible (externally/internally) and have vulnerabilities
- Perform automated security scanning
- Perform penetration testing
Remediate:- Document results to fix all found vulnerabilities
- Retest the systems to make sure that the systems have been patched
- Work with you and your vendors
Page 11
11
What if a data breach happened? What are the Risks.
- Impact building management systems
- Unauthorized physical access to tenant areas
- Brand and reputation
- Non-compliance with privacy regulations
- Unable to fulfill service commitments
- Loss of tenants
Page 12
Other Risks to Consider
• Supply Chain/Vendor Management
• Privacy - Personal Identification Information (PII)
• Regulator Compliance
• Intellectual Property (IP)
• New Automation deployments - IoT (Internet of Things)
• Payment Systems (Ecommerce or Point of Sale)
• Strategic plans, engineering drawings, RFP’s, Proposals, etc.
• Life Safety Systems – elevators, exhaust
Page 13
13
Let’s take a closer look!
Page 14
1
4
What is Hacking?
- The EXPLOIT of a technical vulnerability
- Human error (still a vulnerability)
- Can involve chaining together a series of weaknesses
- Performed without owner permission
Page 15
1
5
What is Penetration Testing?
- Similar to hacking except owner gives permission
- Attempt to gain access to sensitive information or
resources
- Steps can include:
- Information gathering
- Vulnerability enumeration
- Vulnerability exploitation / Privilege Escalation
- Exploration / Lateral Movements
- Performed against defined scope
- Measures Network(s) and Application(s) resiliency
- Overall goal to improve security posture
Page 16
1
6
Almost ALWAYS Starts with a Vulnerability
Page 17
1
7
Page 18
1
8
Example 1: Penetration Test
Page 19
19
Target: Management Controller
Page 20
20
Page 21
21
Page 22
22
Dump Password Hashes:
Page 23
2
3
What Can You Do with Hash?
Page 24
2
4
“Hashinator”
26 lower case letters (a-z)
26 upper case letters (A-Z)
10 digits (0-9)
8 Characters
26+26+10 = 62
62 ^ 8 =
218,340,105,584,896
…or < 2 days
Page 25
25
Page 26
26
U/P Leads to Full VM Infrastructure
Page 27
2
7
Once Access is Gained… Then We “Pivot”
Page 28
2
8
Access to HVAC System…
Page 29
2
9
Example 2: Programming Error
Page 30
3
0
What is Social Engineering?
- An act that influences a person to take an action
- Used by attackers as it consistently works
- There is no patch for untrained users
- Performed against defined scope
- Three types of Social Engineering:
- Phishing
- Vishing
- Impersonation
- Measures how well People identify SE attacks
Page 31
Example Phishing
Page 32
Page 33
Page 34
Page 35
Hello, my name is XXXXX. Resume
attached. I look forward to seeing you.
Sincerely yours, XXXXX
Page 36
36
Social Engineering Attackers
Deploy Fake Social Media Profiles
Page 37
37
Tip #3 – Google Images
- Use Google Images to verify and validate pictures
Page 38
38
Page 39
What is Red Teaming?
• Contains aspects of Penetration Testing and Social Engineering
• Performed with the permission of the owner
• Typically full-scope, multi-layered attack simulation
– Penetration Testing
– Social Engineering
– Physical Security Controls
• Designed to measure resiliency of People, Network(s), and
Application(s) during a real-life attack
• Attacks are performed simultaneously
• Overall goal to identify gaps and improve Incident Response
Page 40
Public Infrastructure – SCADA
• Engagement Objectives:
– Non-Technical Objectives (Flags)
• Gain access to the SCADA facility
– Technical Objectives (Flags)
• Perform Penetration Test against internal assets
• Attempt to gain access to PLC controllers
• Rules of Engagement:
– Assets will not be removed from physical location
Page 41
Public Infrastructure – SCADA
• Engagement Findings:
– Successfully gained access to facility via piggybacking in behind employee
– Performed penetration test against internal assets and able to recover password
hashes
– Able to bypass thin-client to gain access to corporate network from SCADA facility
– Access to the PLC network was gained due to lack of network segmentation
– Determined DoS possible on PLC network by sending one malformed packet
– No indicators of compromise were detected by client
Page 42
Red Team - Key Findings
• Social Engineering attacks like phishing and impersonation
consistently work
– Lack of Security Awareness training for employees aid attackers
• Once inside an organization, detection does not occur
– Security controls like IDS/IPS can log events however no one responds
to alerts
• Lack of patch management and build/hardening standards
– allows for compromise of sensitive information/data
• Organizations are not equipped to deal with real-life
adversary attacks
Page 43
Considerations
Page 44
Considerations
▪ Doing a company wide Cyber Security Health Check. Do you and your executives understand what risks you are protecting and where to prioritize budget & resources.
▪ Develop and implement the appropriate cyber security infrastructure to protect your organization. When was the last time you and your team reviewed your infrastructure.
▪ Understand potential exposure by engaging “ethical hackers” cyber security consultants to hack your organization. Networks, Applications, Mobile.
Page 45
Considerations
▪ Incident Response a) have you developed a plan, done a tabletop
exercise, b) Do you know who to call if a breach happens.
▪ Supply Chain/Vendor/Third Parties Management Strategy –
beginning with the IT focused contracts.
▪ Backup & Recovery – have they been tested to recover and do
you have backup’s offline & offsite.
▪ How are you controlling Shadow IT. Do people install applications
with out permission.
Page 46
Considerations
▪ Cyber Security Educational Training – Training can’t just be a
poster on a wall. (video’s, testing, personalize, etc.)
▪ Does the organization store, process or transmit credit card
data? MUST be PCI Compliant.
• Has your organization consider outsourcing your Cyber
Security with dedicated Cyber Security Admin’s & Advisors.
Page 47
Considerations
▪ Consider purchasing cyber security insurance. Make sure it
is focused on the key risk loss areas of the business.
▪ Is your business putting in place Cyber Security practices,
procedures and metrics. Does your risk register include
Cyber Security and is it focused on the right risks. Does the
board actually understand and agree with the risks being
covered – where they part of the decision.
Page 48
Cyber Security Services
Offensive Security (Red Team)• Penetration Testing
• Blended Threat Attack Exercises
• Social Engineering
• Vulnerability Assessments
Payment Card Industry (PCI) Compliance• Scope Discovery
• Gap Analysis and Readiness Review
• On Demand Consulting and Remediation
• PCI Report on Compliance Validation (ROC)
• PCI SAQ Review and Sign Off
• External ASV Scanning
• Annual Maintenance (Business as Usual)Forensics• Data Retrieval from hard drives, servers, laptops, cell
phones, etc.
• E-Discovery Service for Court Admissibility
Risk Management• Quantitative Threat and Risk Assessment (based on probabilities
and industry statistics
• Qualitative Threat and Risk Assessment (based on matrix
approach)
• Cloud Security Checklist
• Privacy Impact Assessments
• MTA (Maturity Threat Analysis)
• Information Security Framework Development
• Assessment and Review against ISO27k, NIST, CSF or CSC 20
• Policy, Process, Procedure and Documentation Development
Defensive Security (Blue Team)• Enterprise Network Security
• Network, Wireless and Security Architectural Design
• Perimeter and Data Center Security
• Data Loss Prevention and Data Encryption
• Email / Web Content Filtering and Malware Protection
• Secure Access and Authentication
• End Point Security and Encryption
• Wireless, BYOD and Network Access Control
• Security Hardening Standards and Guidelines
• Virtualization and Cloud Computing Standards and Guidance
• Security Awareness Training
Managed Services• Cyber Security Administration
• Perimeter Threat Prevention (firewall, IPS, anti-virus,
web application firewalls, etc.)
• 2-Factor Authentication
• Log Management
Page 49
• Proposed Tax Changes:
http://www.mnp.ca/en/posts/tax-changes-and-your-
family-business-what-you-need-to-know
• Impacts on Your Family Business:
http://www.mnp.ca/en/posts/tax-changes-and-your-
family-business-what-you-need-to-know
• Risk Management in Cyber Security:
http://www.mnp.ca/en/real-estate-and-
construction/risk-management-in-cyber-security