So who is this Matt guy anyway?

• Corn-fed, Wisconsin small business owner • Information security consultant – previously with

CDW for 15 years • Certifications: CISSP, CISM, CRISC, CHSP, GIAC,

CGEIT, OMG, BBQ, etc. • When I’m not busy being a security geek:

• Gardener • Bee-keeper • Brewer of beer and mead • Chainmailer • Fisherman • Aspiring blacksmith • TH9 in Clash of Clans

Totally Awesome Mullet Award (circa 1987)

Agendamus Maximus

•A very brief history of warfare

•Hackers and threat actors

•Cybercrime examples

•Defensive strategies

•Open dialog

History of Warfare (dramatically oversimplified)

The human penchant for war, power, and conquest

“We have always been at war with Eastasia.” – George Orwell, 1984

Land

• Fists

• Clubs

• Metal

• Swords and spears

• Armor

• Arrows

• Heavy things

• Mobility

Water

• Row boats

• Sail boats

• Gun boats

• Navy

• Submarines

• Heavy things

• Mobility

Air

• Balloons

• Gliders

• Propellers

• Jets

• Spy planes

• Heavy things

• Mobility

Space

• Rockets

• Satellites and communication

• Space bound animals

• People

• Orbital bases

• Orbital attack/defense platforms

• Heavy things

• Mobility

• Rockets • Satellites • Animals in space! • People • Space stations • Orbital

attack/defense platforms

• Mobility

Data and the Internet

• Telegraph

• Punch cards

• Magnetic media

• DARPA

• AOL and PCs

• A world connected

• Transient data

• Evil hax0rz

• Mobility (???)

The Rise of The Hackers

• The Terminally Curious • Kids, young adults, adults, misguided motives

• The Maliciously Inclined • Evil h4x0rz, axe-grinders, egoists

• Organized crime • BotNet herders, malware developers, profit-motivated criminals

• Advanced Persistent Threat actors • Vindictive insiders, ethno-nationalists, ideological fanatics, nation states,

rogue corporations and criminal enterprises

The future is here…

Are you prepared?

A few quick statistics

Source: http://www.hackmageddon.com/2015/12/11/november-2015-cyber-attacks-statistics/

Attack Techniques

Commonalities in attack scenarios

• Identify target

• Surveillance and reconnaissance

• Penetration

• Co-opt targets

• Conceal and embed

• Conduct operations

• Profit

Understanding the Zero-day Problem

The Internet 010000100110010100100000011100110111010101110010011001

010010000001110100011011110010000001100100011100100110

100101101110011010110010000001111001011011110111010101

110010001000000100111101110110011000010110110001110100

01101001011011100110010100101110

Matches anti-virus signature – apply countermeasures!

Understanding the Zero-day Problem

The Internet 010000100110010100100000011100110111010101110010011001

010010000001110100011011110010000001100100011100100110

100101101110011010110010000001111001011011110111010101

110010001000000100111101110110011000010110110001110100

01101001011011100110010100101110

Anti-virus says: “Nope. Ain’t never seen it… Carry on, Citizen.”

Very limited or no protection offered

Patch Gap and Vulnerability Management

Notice! This little gap represents the zero-day problem

So… where does it all come from?

Example: Low Orbit Ion Cannon

Example: High Orbit Ion Cannon

Support and Customer Service for Hackers!

Customize it with SpyEye

But wait, there’s more! Citadel

Anatomy: Common Cybercrime Tactic - Banking Successful Exploitation via Spear phishing

Bot provides Feedback to hax0r

Online Banking User Targeted

Means of authentication compromised Hax0r collects

Banking credentials Hax0r logs into victim’s online banking account

Hax0r moves $$$ to US account

Unsuspecting perp moves money overseas

Two quick riddles…

Q: When do organizations realize that they have made a mistake in security spending?

A: Usually never – they simply miss out on the chance to use some money for other things, but they seldom really investigate how much or why.

Q: How much better is it to do a great job with security than it is to do an average job?

A: Well, we need to adjust the definition of “great” so that it encompasses not overspending, spending irrationally, or spending ineffectively.

How do we decide what to do?

• Everyone spends on security, but we know our security will never be perfect

• Budgeting for security is problematic

• We must optimize our security spending and resource allocation

• A security assessment is the process of identifying and prioritizing risks and mitigation strategies

• A well-done assessment should give you confidence

Top 5 Security Things You Should Be Doing (but probably aren’t)

• There will always be “something” to do that is not being done

• Commonalities across verticals

• Verify and ask questions

• Form a plan

• Execute

• Validate

• Improvement and vigilance

#1 Fix Your Passwords

• Develop and enforce password policy

• Foster a security-aware culture • Employ passphrases • Perform periodic password audits • Password isolation • Consider multi-factor

authentication

Sorry, but I’m about to geek out on you…

• No. This is not the Death Star nor is it a lesson in optics

• Blue ovals are hosts, red boxes are credentials

(username/password combination), and yellow spots are the domains (domain controllers, to be specific).

• The “credentials” in this one are local

administrative accounts, so this represents local account trusts for administrative level users (admin on hosts and/or the domain controllers).

• ~1,400 hosts involved in trusts with at least one

other, many with many others, including the domain.

Geeking out… Part 2 • Much simpler, yes? • Blue ovals are hosts, red boxes are credentials

(username/password combination), and yellow spots are the domains (domain controllers, to be specific).

• The “credentials” in this one are local admin

accounts, so this shows local account trusts for admin level users (admin on hosts and/or the domain controllers) EXCEPT that this time, the actual “Administrator” accounts are excluded.

• In other words, it's the same as the previous graph, if

they were to fix just all of the local “Administrator” accounts. Only 129 hosts now involved in local account trust relationships.

• So by fixing the local “Administrator” account on all

their boxes, they can achieve an order of magnitude improvement in # hosts involved.

Note: We’re not even talking about fixing patch-related vulnerabilities yet!

Why is this so bad? Lessons Learned

• A single vulnerability might give an attacker access to a great deal of stuff

• Once that happens, it’s hard to distinguish between logins by legitimate friends vs. logins by adversaries

• It might be pretty hard, even, to determine if Something Bad™ has happened

• It might be relatively easy to gather data about various vulnerabilities, but it’s hard to spot the relationships that govern how deadly they are

Inferences From The Geeky Graphs

There are things you can do to lessen the impact of a new vulnerability being exploited

• Principle of “Least Privilege” and “Inverted Security”

• Reduce sharing of local accounts

• Turn off cached credentials where not needed

• Now we can begin to think in terms of vulnerabilities we don’t yet know about • (recall the zero-day problem?)

• Oh, and patch your stuphs!

#2 Use a Password Safe

• Get rid of those Excel and Word docs for password storage

• Encrypted storage

• Improve enterprise disaster recovery capabilities

Did I mention…

GET RID OF THOSE EXCEL AND WORD DOCS!

How’s Your Memory Doing These Days?

• Don’t use spreadsheets or unprotected documents!

• Individual use • Home • Office

• Mobile

• Enterprise use • Complex environments • Privilege use and tracking • Effective management

#3 Network Egress Filtering

• Egress, or outbound, traffic filtering • Firewalls and VLANs/VACLs

• Block and monitor • Security Incident Event Management (SIEM)

• Identify and isolate highly sensitive and confidential data • Data Loss Prevention (DLP)

Baseline and Behavioral Analysis

Develop baselines

• What does normal behavior look like?

• What does abnormal behavior look like?

Internal monitoring in addition to external

• Develop initial indicators

• Lends itself well to incident response planning and preparedness

Prepare for the worst, hope for the best

#4 Improve Your Monitoring and Inventory Management

• Start simple

• Establish basic metrics

• Authorized and unauthorized devices

• Centrally manage audit logs

• Focus on relevant issues first

• More automation of alerting

• Trending

#5 Perform Routine Scanning

• Utilize your updated inventory • SolarWinds

• Identify known weaknesses • NESSUS

• Continuous remediation • ERM

• Update build standards • ITIL

• Improve patching regiment • WSUS/SCCM

Vulnerability-free Planning

• Plan 1: Find out about and fix all flaws in all products • Not likely; vendors keep releasing patches, indicating that they don’t

know them all • “Apollo 8 has 5,600,000 parts and one half million systems,

subsystems, and assemblies. Even if all functioned with 99.9% reliability, we could still expect 5,600 defects.”

• Jerry Lederer, NASA safety chief (quoted in Collins, Michael. Carrying the Fire: An Astronaut’s Journeys, New York: Random House, 1974, p. 307)

• Plan 2: Prevent all flaws from being exploitable by anybody • Also problematic; generally this would involve denying all access… • “The only truly secure system is one that is powered off, cast in a block

of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts.”

• Gene Spafford (quoted in Dewdney, A. K., “Computer Recreations: Of Worms, Viruses and Core War,” Scientific American, March 1989, p. 110)

Set Goals!

• Identify

• What data do you consider to be sensitive or confidential?

• What forms do your critical data take?

• How and where is it being stored?

• Who “owns” the data and who has access to it?

• Monitor

• How is the data being used?

• Where is it being sent?

• How is it being sent/transferred?

Report • Information is primarily useful when it is

consumed (and is consumable) • Access summaries, capacity reports, data life

cycle management, etc. • Understanding of key risks facing the

organization

Improve • Manage technical issues and improve business

processes • Intelligent application of resources to support

remediation efforts

• Knowledge is power!

Open Dialog Time!

Introduction: Jeff Grady from Three Pillars Technology

We know you have questions

Special Thanks to:

MEGA Healthcare Conference Organizers

Our Wonderful Sponsors

Kaye Prieve and Wendy Ellwein