TOP 10 CYBER SECURITY RISKS

2015

TOUGH YEAR

REASON

=

RISK

The average bank robbery yields around…

REWARD

The average bank robbery yields around…

$1,800.00

RISK

The average cyber crime yields around…

REWARD

The average cyber crime yields around…

$750,000.00

UNDERSTAND

CHAT UP LINE #103

As of April 2015, there were over 8 million web

pages offering some sort of free down-loadable

hacking software

Pre-Packaged Hacking

Point & click easy

REPORTS VARY

• 42% increase in targeted attacks in 2014.

• 31% of all targeted attacks aimed at businesses with less than 250

employees.

• 1 waterhole attack infected 500 organizations in a single day.

• 74 zero-day vulnerabilities.

• 32% of all mobile threats steal information.

• 1 threat infected 600,000 Macs in 2014.

• Spam volume continued to decrease, with 69% of all email being

spam.

• The number of phishing sites spoofing social networking sites

increased 125%.

• Web-based attacks increased 30%.

• 5,291 new vulnerabilities discovered in 2014, 415 on mobile O/S.

Symantec Global Intelligence Report 2015

BECAUSE

Q: WHAT’S A RISK?

A: WHAT’S A RISK TO YOU?

TOP 10

• OBVIOUS

• NOT SO OBVIOUS

• COMPLEX

10: BRUTE FORCE

• DDoS

• Drop servers to default

• Use default password

• Take admin rights

• Password crackers

9: IP EQUIPMENT

• Copiers

• Faxes

• Scanners

• Telephones

• UPS

• Air Conditioning

• Fire alarms

• PABX

• Coffee machines

8: MODEMS

• “Phreaking” still works!

• Every server has a modem port!

• 23% of all external attacks are traced

back to previously unidentified

modems

• For every 1000 lines = average of 50

undetected/unprotected modems/ports

MODEMS…

1. Bandwidth Manager

2. Exterior Router

3. Bastion Host (Firewall)

4. Interior Router

5. Network Switch

6. Application Servers

7. Network Storage

8. PBX

9. Voicemail

10.Modem Bank

11.RAS Server

12.Authentication Server

13.UPS

14.Air Conditioning

15.Building Access Control

System

7: MALWARE

• Can retrieve whatever they are programmed to find such as: files, folders, address books, log on IDs, passwords…

• Can execute whatever functions it’s programmed to execute: connections, downloads, off/on, find folder: encrypt, copy, delete, save as….

• Only limited to the creativity of the writer.

“Nearly 1 million malware threats are released

every day”. Symantec 2015 Report

GEEK FACT #4

.exe

DELIVERED AS:

.exe .exe .exe

DEPLOYING SPYWARE

• Key stroke loggers

• Browser trackers

• Mouse trackers

• Address book grabbers

• Password grabbers

• Session hijackers

• OS/application scouts

• Stealth installs

• Desktop hijacks

6: APPLICATION HACKS

Website attacks that enable

access to the backend:

– SQL injection

– Cross site scripting

– Session hi-jacking

Hacking Formula

= exe.autorun// (script)

Web Cam Hacking

Simple script allows you to obtain:

• All information about the cam user (name,

picture, location, followers, etc.)

• All devices and operating systems used by

the cam user

• All applications and social networks used by

the cam

• All cam log on and password credentials (i.e.

Skype)

• Cam geo-location

• Live cam feeds

• Cam indicator light control

iPhone Camera Hacking

Microphone Hacking

=

• Malware

• Stealth installs

• Data interception

• Direct attack

• Call hi-jacking

• VPN hi-jacking

• Session hi-jacking

• Device hi-jacking

5: MOBILE DEVICES

4: SOCIAL ENGINEERING

Accessing a system through a user

1. Identify the target

2. Conduct your research

3. Develop a rapport & trust

4. Exploit the trust for information

5. Use to access the system.

TOOLS

• Personal information about you

• Appeal to vanity

• Appeal to authority

• Appeal to human kindness

• Emotional manipulation

• Capitalize on stupidity

• Capitalize on trust

• Eavesdropping

• Chutzpah!

IN PERSON

Posing: Posing is when a hacker disguises himself as

someone in authority to get physical access to your systems.

Baiting. Baiting is when a hacker leaves a malware-infected

physical device, such as a USB flash drive or CD-ROM, in a

place it is sure to be found like a parking lot, reception area

or toilet.

Tailgating. Tailgating is when a hacker follows an authorised

employee into an otherwise secure office location to access

the IT systems in order to execute an attack.

Dumpster diving. Dumpster diving is just what it says on

the tin

BY TELEPHONE

Pretexting. Pretexting is when a hacker calls

and pretends that they are someone in authority

and requests something from you. Its like

posing only over a telephone.

Quid pro quo. A quid pro quo is when a hacker

requests something from you in exchange for

something desirable.

BY EMAIL

Phishing. Phishing is when a hacker sends

a fraudulent email disguised as a legitimate

email claiming to be from a trusted source.

Spear Phishing: Spear phishing is when a

hacker sends you a fraudulent email from a

trusted source that you have a specific

personal or professional relationship with,

such as your bank, your supermarket,

professional or social media connexions.

Watering hole: A hacker will inject malware

into a legitimate website that companies in

the target industry are already likely to visit.

3: INSIDERS

The overwhelming majority of SME security incidents this year were originated by “insiders”

• IP Theft, Financial Fraud, Procurement Fraud, Insider Trading, Unauthorised applications

• Unauthorised output devices

• Unauthorised connections

• Unauthorised behaviour

• Removable media

CHAT UP LINE #24

“7 out of 10 persons arrested for cyber crime are

employees of the company prosecuting them”

Federal Bureau of Investigation 2010

Company

Supplier 1

Supplier 2

Supplier 3

Supplier 4

Supplier 5

Supplier 6

Supplier 7

Supplier 8

Supplier 9

Hacker

2: 3RD PARTY SUPPLIERS

CHAT UP LINE # 13

“Over 75% of reported breaches over the last 18

months were sourced to a trusted connection”. Wired Jan 2015

1: APT'S

Highly targeted and

sophisticated attacks of duration

utilizing 0-day vulnerabilities to

circumvent traditional security

defences to compromise a

specific target.

vs.

CHARACTERISTICS

• Long term process

• Stealthy & complex delivery

• Utilizing multi ingress/egress vectors

• Insider knowledge (process/product)

• Exploits unrecognized vulnerabilities

• Specific target objective: Retrieve/Take down

• Installs it own back door

• High success rate

APT'S

OMGs

LOLs

NSAs

TTCFGWME&T

1. APTs

2. 3rd Party Suppliers

3. Insiders

4. Social Engineering

5. Mobile Devices

6. Web Applications

7. Malware

8. Modems

9. IP Equipment

10. Brute Force

TOP 5 TARGETS

1. Sales

2. Finance

3. R&D

4. Databases

5. C Level

1. Hacktivists Disruption

2. Hackers Data Theft

3. Cyber Criminals Fraud

4. Nation States IP Theft, Disruption

5. Insiders Fraud, IP Theft

CURRENT PERCEPTION

REMEMBER

PRIORITY SHOULD BE

1. Insiders Fraud, IP Theft

2. Cyber Criminals Fraud

3. Nation States IP Theft

4. Hackers Data Theft

5. Hacktivists Disruption

THINK LIKE A HACKER

1. If Dr. Evil can run his programs on your network, it’s not your network anymore.

2. If Dr. Evil can upload programs to your website, it’s not your website anymore.

3. If Dr. Evil can access data on your network, it’s not your data any more.

4. If Dr. Evil can make changes to the applications or devices on your network, its not your network or devices any more.

5. If Dr. Evil uses your network to launch an attack on another network, its your problem.

UNDERSTAND EVIL

6. If Dr. Evil can use your network to access your partners network, its your problem.

7. If Dr. Evil can access your stored data, it’s not your data anymore.

8. More often than not, Dr. Evil works for you.

9. Dr. Evil knows where you hide your spare keys.

10. Mini-me is always faster and smarter.

LAST WORDS…

Computer Security = Oxymoron

www.riskfactory.com A D

iffe

ren

t P

ers

pecti

ve F

rom

: