the hacking team hack: lessons learned for enterprise security
TRANSCRIPT
The Hacking Team Hack: Lessons Learned for Enterprise Security
Stephen Cobb, CISSPSenior Security Researcher
Stephen CobbSr. Security Researcher, ESET North America
Stephen Cobb has been a CISSP since 1996 and has helped companies large and small to manage their information security, with a focus on emerging threats and data privacy issues. The author of several books and hundreds of articles on information assurance, Cobb heads a San Diego based research team for ESET North America.
Today’s topics• The messy rise of Hacktivism 3.0 • Where Hacking Team went wrong• What’s Sony Pictures got to do with it• Issues of access and authentication• Re-discovering the insider threat• The security/transparency paradox• AshleyMadison and other secrets• Situational awareness, risk analysis,
operational security, and Incident Response Planning
What’s not on the agenda…• The ethics of Hacking Team’s business model• The legality/ethics/logic of digital surveillance of
citizens by the state• The inside scoop on how these hacks went down
(although insiders may have been involved)
Q1: Has your organization issued any phishing alerts in wake of recent hacks?
Polling Question
Yes No Not sure I don’t work for an organization
Hacktivisim 3.01.0: Website defacements2.0: Exfiltration of confidential documents to sharing sites3.0: Breaching security with intent to expose documents that make a point, or a mess
– Politics: Hacking Team, Sony– Malice: Ashley Madison– Money: Adult Friend Finder
Hacking Team profile• Italian company that sells “surveillance tools”
to government agencies • Main tool is code designed to obtain
unauthorized access to systems = malware• Detected as such and blocked by AV products• Many people disapprove in general, but
particularly when client = repressive regime
Hacking Team story• Started with penetration testing • Some staff not comfortable with expansion
into surveillance tools• Management response: compartmentalize
Hacking Team critique• Adopted aggressive attitude to those who
opposed its business model• Repeatedly denied allegations of dealings
with repressive regimes • While storing evidence of dealings with
repressive regimes in digital form• Creating a risky situation:
– Target value outgrew defensive posture
Sony Pictures parallels• Decided to move forward
with an inflammatory movie despite warnings it could provoke hackers
• Sony security posture and incident response plans fell short of risk profile
• Failed to isolate digital valuables and embarrassing information in digital form
Does Mr. Clooney understand?• American companies run on systems that are
so hard to defend that provoking attack by taking a stand is a risky very business decision
Cowardice or commonsense?• The strength of our economic and social
infrastructure impacts our ability to take a stand against terrorists and other bad actors
• Strength readings are not high right now• Consider recent Blackhat survey of 460
security professionals:– 73% think it likely that their organization will have
to deal with a major data breach in the year ahead
Why? Blackhat survey says…• Staffing Shortage: Only 27% feel their
organization has enough staff to defend against current threats
• Measly Budgets: Only 34% say their organization has enough budget to defend itself against current threats
• In Need of Training: Only 36% say they have the skills they need to do their jobs (55% say they could use some training)
PDF at: http://tinyurl.com/Blackhat-Survey
Blackhat survey tells us…“Security defense strategies and resources need serious rethinking if the protectors of the enterprise are not confident in their ability to keep adversaries out of systems” (and away from potentially damaging data)
How fresh is your risk management strategy?• Are you listening to your IT security people?• Do you have realistic situational awareness?• Where are you on Incident Response Plan?
Remember: 4 ways to handle risk• Reduction
– Make sure all systems are secure, patched regularly, users trained, etc.
• Acceptance– Take a calculated risk, but be sure odds are correct
• Avoidance– Don’t make that movie about that dictator
• Transfer– Buy insurance (but be prepared to qualify)
Q2: Are you confident in your organization’s current security posture?
Polling Question
Yes No Not sure I don’t work for an organization
Sony/HT/AM common elements• The company is engaged in activity that is not
universally admired• Someone with access to hacking abilities
decides to act against the company• The company response is sub-optimal
IT DIDN’T HAPPEN
IT HAPPENED, BUT IT’S NOT
THAT BAD
ATTACK AND/OR ADVERSARY WASSOPHISTICATED
WE MAY HAVE ISSUED FALSE STATEMENTS
Defending against Hacktivism 3.0• Situational awareness
– If it’s on the web, it’s world wide – Who in the world might not like what we do?– What are their capabilities (hint: you can rent ‘em)?– What will they think about upcoming actions?– Are we listening for/to critics?
WHO DOESN’T LIKE US?
ARE WE ANTAGONIZING
ANYONE?
ARE ALL OUR SECRETS
LOCKED DOWN?
WHERE ARE WE ON INCIDENT RESPONSE?
Situational Awareness
• It’s all about communication
Salespeople Social Media
Customer Support
Clipping Service
Google News Alerts
Project Roadmap
PR/Events Calendar
Security/transparency paradox• Security = keeping secrets, including possibly
damaging information• Choosing not to keep potentially damaging
information secret may reduce that potential• Information in digital form is inherently hard
to keep secret• Digital “secrets” are
easier to share at scaleA man that looks on glass,On it may stay his eye; Or if he pleaseth, through it pass, And then the heav'n espy.
– George Herbert, 1633
Incident response planning• Bad things will happen to your organization• So you need a plan for how to respond• Everyone in the organization needs to know
– There is a plan and we all must stick to it– We all have a role, even if that role = no comment
WHO DO YOU CALL?
WHO SHOULD SPEAK?
TO WHOM WILL THEY
SPEAK?
WHAT WILL THEY SAY?
Authentication issues • Use of weak, non-unique
passwords continues• On sensitive systems, passwords
are no longer fit for purpose• You need 2FA
Personnel “risks” must be addressed• The insider threat has never
gone away• Potential damage from
insiders is arguably greater now, given ease of digital egress
• Pay attention to people, attitudes, and the logs
2015 Vormetric Insider Threat Report
Miscellaneous fallout • HT zero days disclosed• Vulnerabilities need to be patched• Phishing campaigns may use AM data• Blackmail is also possible• Password leaks add to brute force
Opsec and AshleyMadison• Don’t engage in behavior
you may later want to deny, unless you are confident the proof of your involvement is well-protected
• Bear in mind the wide range of views on “acceptable”