So who is this Matt guy anyway?
• Corn-fed, Wisconsin small business owner • Information security consultant – previously with
CDW for 15 years • Certifications: CISSP, CISM, CRISC, CHSP, GIAC,
CGEIT, OMG, BBQ, etc. • When I’m not busy being a security geek:
• Gardener • Bee-keeper • Brewer of beer and mead • Chainmailer • Fisherman • Aspiring blacksmith • TH9 in Clash of Clans
Totally Awesome Mullet Award (circa 1987)
Agendamus Maximus
•A very brief history of warfare
•Hackers and threat actors
•Cybercrime examples
•Defensive strategies
•Open dialog
History of Warfare (dramatically oversimplified)
The human penchant for war, power, and conquest
“We have always been at war with Eastasia.” – George Orwell, 1984
Land
• Fists
• Clubs
• Metal
• Swords and spears
• Armor
• Arrows
• Heavy things
• Mobility
Water
• Row boats
• Sail boats
• Gun boats
• Navy
• Submarines
• Heavy things
• Mobility
Air
• Balloons
• Gliders
• Propellers
• Jets
• Spy planes
• Heavy things
• Mobility
Space
• Rockets
• Satellites and communication
• Space bound animals
• People
• Orbital bases
• Orbital attack/defense platforms
• Heavy things
• Mobility
• Rockets • Satellites • Animals in space! • People • Space stations • Orbital
attack/defense platforms
• Mobility
Data and the Internet
• Telegraph
• Punch cards
• Magnetic media
• DARPA
• AOL and PCs
• A world connected
• Transient data
• Evil hax0rz
• Mobility (???)
The Rise of The Hackers
• The Terminally Curious • Kids, young adults, adults, misguided motives
• The Maliciously Inclined • Evil h4x0rz, axe-grinders, egoists
• Organized crime • BotNet herders, malware developers, profit-motivated criminals
• Advanced Persistent Threat actors • Vindictive insiders, ethno-nationalists, ideological fanatics, nation states,
rogue corporations and criminal enterprises
The future is here…
Are you prepared?
A few quick statistics
Source: http://www.hackmageddon.com/2015/12/11/november-2015-cyber-attacks-statistics/
Attack Techniques
Commonalities in attack scenarios
• Identify target
• Surveillance and reconnaissance
• Penetration
• Co-opt targets
• Conceal and embed
• Conduct operations
• Profit
Understanding the Zero-day Problem
The Internet 010000100110010100100000011100110111010101110010011001
010010000001110100011011110010000001100100011100100110
100101101110011010110010000001111001011011110111010101
110010001000000100111101110110011000010110110001110100
01101001011011100110010100101110
Matches anti-virus signature – apply countermeasures!
Understanding the Zero-day Problem
The Internet 010000100110010100100000011100110111010101110010011001
010010000001110100011011110010000001100100011100100110
100101101110011010110010000001111001011011110111010101
110010001000000100111101110110011000010110110001110100
01101001011011100110010100101110
Anti-virus says: “Nope. Ain’t never seen it… Carry on, Citizen.”
Very limited or no protection offered
Patch Gap and Vulnerability Management
Notice! This little gap represents the zero-day problem
So… where does it all come from?
Example: Low Orbit Ion Cannon
Example: High Orbit Ion Cannon
Support and Customer Service for Hackers!
Customize it with SpyEye
But wait, there’s more! Citadel
Anatomy: Common Cybercrime Tactic - Banking Successful Exploitation via Spear phishing
Bot provides Feedback to hax0r
Online Banking User Targeted
Means of authentication compromised Hax0r collects
Banking credentials Hax0r logs into victim’s online banking account
Hax0r moves $$$ to US account
Unsuspecting perp moves money overseas
Two quick riddles…
Q: When do organizations realize that they have made a mistake in security spending?
A: Usually never – they simply miss out on the chance to use some money for other things, but they seldom really investigate how much or why.
Q: How much better is it to do a great job with security than it is to do an average job?
A: Well, we need to adjust the definition of “great” so that it encompasses not overspending, spending irrationally, or spending ineffectively.
How do we decide what to do?
• Everyone spends on security, but we know our security will never be perfect
• Budgeting for security is problematic
• We must optimize our security spending and resource allocation
• A security assessment is the process of identifying and prioritizing risks and mitigation strategies
• A well-done assessment should give you confidence
Top 5 Security Things You Should Be Doing (but probably aren’t)
• There will always be “something” to do that is not being done
• Commonalities across verticals
• Verify and ask questions
• Form a plan
• Execute
• Validate
• Improvement and vigilance
#1 Fix Your Passwords
• Develop and enforce password policy
• Foster a security-aware culture • Employ passphrases • Perform periodic password audits • Password isolation • Consider multi-factor
authentication
Sorry, but I’m about to geek out on you…
• No. This is not the Death Star nor is it a lesson in optics
• Blue ovals are hosts, red boxes are credentials
(username/password combination), and yellow spots are the domains (domain controllers, to be specific).
• The “credentials” in this one are local
administrative accounts, so this represents local account trusts for administrative level users (admin on hosts and/or the domain controllers).
• ~1,400 hosts involved in trusts with at least one
other, many with many others, including the domain.
Geeking out… Part 2 • Much simpler, yes? • Blue ovals are hosts, red boxes are credentials
(username/password combination), and yellow spots are the domains (domain controllers, to be specific).
• The “credentials” in this one are local admin
accounts, so this shows local account trusts for admin level users (admin on hosts and/or the domain controllers) EXCEPT that this time, the actual “Administrator” accounts are excluded.
• In other words, it's the same as the previous graph, if
they were to fix just all of the local “Administrator” accounts. Only 129 hosts now involved in local account trust relationships.
• So by fixing the local “Administrator” account on all
their boxes, they can achieve an order of magnitude improvement in # hosts involved.
Note: We’re not even talking about fixing patch-related vulnerabilities yet!
Why is this so bad? Lessons Learned
• A single vulnerability might give an attacker access to a great deal of stuff
• Once that happens, it’s hard to distinguish between logins by legitimate friends vs. logins by adversaries
• It might be pretty hard, even, to determine if Something Bad™ has happened
• It might be relatively easy to gather data about various vulnerabilities, but it’s hard to spot the relationships that govern how deadly they are
Inferences From The Geeky Graphs
There are things you can do to lessen the impact of a new vulnerability being exploited
• Principle of “Least Privilege” and “Inverted Security”
• Reduce sharing of local accounts
• Turn off cached credentials where not needed
• Now we can begin to think in terms of vulnerabilities we don’t yet know about • (recall the zero-day problem?)
• Oh, and patch your stuphs!
#2 Use a Password Safe
• Get rid of those Excel and Word docs for password storage
• Encrypted storage
• Improve enterprise disaster recovery capabilities
Did I mention…
GET RID OF THOSE EXCEL AND WORD DOCS!
How’s Your Memory Doing These Days?
• Don’t use spreadsheets or unprotected documents!
• Individual use • Home • Office
• Mobile
• Enterprise use • Complex environments • Privilege use and tracking • Effective management
#3 Network Egress Filtering
• Egress, or outbound, traffic filtering • Firewalls and VLANs/VACLs
• Block and monitor • Security Incident Event Management (SIEM)
• Identify and isolate highly sensitive and confidential data • Data Loss Prevention (DLP)
Baseline and Behavioral Analysis
Develop baselines
• What does normal behavior look like?
• What does abnormal behavior look like?
Internal monitoring in addition to external
• Develop initial indicators
• Lends itself well to incident response planning and preparedness
Prepare for the worst, hope for the best
#4 Improve Your Monitoring and Inventory Management
• Start simple
• Establish basic metrics
• Authorized and unauthorized devices
• Centrally manage audit logs
• Focus on relevant issues first
• More automation of alerting
• Trending
#5 Perform Routine Scanning
• Utilize your updated inventory • SolarWinds
• Identify known weaknesses • NESSUS
• Continuous remediation • ERM
• Update build standards • ITIL
• Improve patching regiment • WSUS/SCCM
Vulnerability-free Planning
• Plan 1: Find out about and fix all flaws in all products • Not likely; vendors keep releasing patches, indicating that they don’t
know them all • “Apollo 8 has 5,600,000 parts and one half million systems,
subsystems, and assemblies. Even if all functioned with 99.9% reliability, we could still expect 5,600 defects.”
• Jerry Lederer, NASA safety chief (quoted in Collins, Michael. Carrying the Fire: An Astronaut’s Journeys, New York: Random House, 1974, p. 307)
• Plan 2: Prevent all flaws from being exploitable by anybody • Also problematic; generally this would involve denying all access… • “The only truly secure system is one that is powered off, cast in a block
of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts.”
• Gene Spafford (quoted in Dewdney, A. K., “Computer Recreations: Of Worms, Viruses and Core War,” Scientific American, March 1989, p. 110)
Set Goals!
• Identify
• What data do you consider to be sensitive or confidential?
• What forms do your critical data take?
• How and where is it being stored?
• Who “owns” the data and who has access to it?
• Monitor
• How is the data being used?
• Where is it being sent?
• How is it being sent/transferred?
Report • Information is primarily useful when it is
consumed (and is consumable) • Access summaries, capacity reports, data life
cycle management, etc. • Understanding of key risks facing the
organization
Improve • Manage technical issues and improve business
processes • Intelligent application of resources to support
remediation efforts
• Knowledge is power!
Open Dialog Time!
Introduction: Jeff Grady from Three Pillars Technology
We know you have questions
Special Thanks to:
MEGA Healthcare Conference Organizers
Our Wonderful Sponsors
Kaye Prieve and Wendy Ellwein