Date post: | 13-Apr-2017 |
Category: |
Presentations & Public Speaking |
Upload: | jeff-zahn |
View: | 147 times |
Download: | 0 times |
It Takes More than a Firewall
Thane BarnierIT / Web Development Manager
Sioux Falls Area Chamber of Commerce
A network is like a castle
A network is like a castle The medieval castle model: Build the walls thick, stockpile supplies
and laugh as attacks bounce off the walls. It’s a siege.
A good firewall can stop a brute force attack.
A network is like a castle How do you break down a castle’s
defenses? Attack from multiple sides Go over or under the walls Add more siege engines to overwhelm
the walls. But the best way to get in…
A network is like a castle Get someone inside to open the gates!!
It wasn’t me, I swear!
It wasn’t me, I swear! The Melissa macro virus hit in March
1999.
It wasn’t me, I swear! High traffic generated by this virus
brought mail servers to their knees. Antivirus software was ineffective
against this attack vector. In short, we weren’t ready!
It wasn’t me, I swear! The LoveLetter
worm hit in 2000. Because of its
destructiveness and virulence, many still consider it the most dangerous virus ever.
It wasn’t me, I swear! It destroyed JPG files, overwriting them
with copies of itself. Difficult to remove because it self-
replicated within the computer, cloning itself.
Launched a Denial of Service attack on the official White House website.
50 million infections in the first 10 days. Est. 10% of internet-connected
computers infected worldwide.
It wasn’t me, I swear! Mid 2000’s sees the rise of Spyware,
Adware and Trojan Horse programs. Hard to detect because they are
relatively passive. Steal information covertly without
triggering Antivirus software.
It wasn’t me, I swear! Most versions don’t use email to
spread, rather they exploit holes in browser security to install.
Not generally self replicating. Trojan’s can create zombie computers
to form botnets for DDoS attacks. Wide variety of attack vectors, striking
from multiple sides. (get more siege engines)
It wasn’t me, I swear! 2009 – RogueWare/Fake Antivirus!!!
It wasn’t me, I swear! A new approach to malware with one
goal in mind: $$$$ FakeAV Software, warnings of reporting
illegal activities, Porn Pop-ups. Played on user fear to invoke an emotional response.
Required user interaction to install, thereby circumventing most antivirus systems.
It wasn’t me, I swear! Users who paid requested prices would
find their credit cards charged, AND stolen.
A 2010 report estimated creators were making $35 million PER MONTH.
Nearly impossible to remove safely at the time. Disabled REAL Antivirus software.
Employ the nuclear option.
What do all these attackshave in common?
SOCIAL ENGINEERING
Social Engineering
The Devil made me do it!
The Devil made me do it! A hacker’s most effective tool is good
SOCIAL ENGINEERING. The trick is to get one of us to open our
gates without realizing we’re doing it. As people catch on, hackers quickly
adapt their techniques .
The Devil made me do it! The Email Worms use tricks to get the
user to open the attached file.
The Devil made me do it! Antivirus programs begin to strip them
off, so hackers move to embedded links which lead to malware payloads.
The Devil made me do it! Emails begin to look more realistic,
making them harder to spot.
The Devil made me do it! Fake Antivirus programs created by
experienced programmers look and feel like real commercial software.
The Devil made me do it! Ransomware plays on users’ fears.
The Devil made me do it! Malvertising offers a sophisticated
attack vector which is impossible to detect until it’s too late.
CRYPTOLOCKER
The new face of EVIL!
CRYPTOLOCKERThe new face of evil
CRYPTOLOCKERThe new face of evil
Hit in 2013. Caught us unprepared and defenseless. No one had an answer.
Unlike anything we’d ever seen before. Ransomware for real.
Literally kidnaps your files. Encryption which is virtually
unbreakable. RSA-4096. Multiple variants. CryptoWall,
TorrentLocker, etc. Antivirus virtually non-effective.
CRYPTOLOCKERThe new face of evil
May 2014 – FBI announced it had shutdown the Zues Botnet, and the Cryptolocker network.
The media declared Cryptolocker dead and stopped talking about it.
New variants, new botnets started appearing in the “darknet”.
Oct. 2015 - The FBI’s official response…pay the ransom.
CRYPTOLOCKERThe new face of evil
Feb 2016 – Hollywood Presbyterian Medical Center hit by ransomware attack.
CT scans, documentation, lab work, pharmacy functions and electronic communications out of commission.
Radiation & Oncology shut down, ER “sporadically impacted”. Luckily no one died.
After a week of fighting it, the hospital paid over $17,000 to get their files back.
ALL your files are belong to us! Removal tools can strip the virus, but
will do nothing to fix encrypted files. The program MUST be installed in order
to pay the ransom and decrypt the files. Backups. Backups. Backups.
Redundancy. If you don’t have backups, pay the
ransom and hope it works. That’s the only way to unencrypt your files. NOT A Guarantee!!!
ALL your files are belong to us! If a PC does get infected, kill the
power immediately and disconnect it from the network before it infects other systems.
If you don’t have an IT staff, call a pro! Dealing with CryptoLocker takes finesse.
IT’s worse than that, he’s dead Jim!
IT’s worse than that, he’s dead Jim!
IT’s worse than that, he’s dead Jim! User waited hours to report it. In 4
hours Cryptolocker decimated our network.
Every document, image, pdf, spreadsheet etc. on the computer was encrypted.
200,000+ files encrypted on 6 different network shares, across 3 servers.
Almost 2 tb of data. Our main membership database.
IT’s worse than that, he’s dead Jim! We had just purchased a new backup
system. Though the software reported it was
working perfectly, none of the backups were valid for restoration.
The software company, responded that apparently it wasn’t working correctly. They offered no other support.
IT’s worse than that, he’s dead Jim! Using Volume Shadow Copy, I was able
to restore all of the file shares, except our main membership database.
We worked for 48 straight hours restoring systems and trying to recover the membership database.
In the end…we had no choice but to pay the ransom. It worked!
IT’s worse than that, he’s dead Jim! It all started with one email that
looked like a FedEx receipt.
CryptoWall – The second coming
CryptoWall – The second coming Hit Friday at 1:43 PM. By 2:45 it had encrypted 275,000 files,
875GB of data. Safety measures put in place for
Cryptolocker were completely circumvented.
CryptoWall – The second coming Our triple redundancy backup system
worked great. We were able to restore all but 6 files. A/V, Security Policies, Firewalls – it got
past them all. Still, it could have been prevented.
Don’t take ZIP filesfrom strangers!
Don’t take ZIP filesfrom strangers!
So how do we defend against this? We must combat this Social
Engineering with our own Social Engineering.
We all need to learn what to look for and what to do if we do get infected.
Think before you act.
Don’t take ZIP filesfrom strangers!
Email is still the most common threat vector.
Despite all our filtering, things still can and do get through.
In the end, the best countermeasure we have is ourselves.
Don’t take ZIP filesfrom strangers!
Even if you know the sender of an email, were you expecting it?
Would this person really send you a ZIP file?
Never open anything with a .scr, .vbs or .exe extension. (elfbowling.exe)
Don’t take ZIP filesfrom strangers!
Don’t take ZIP filesfrom strangers!
Amazon, UPS, USPS, FedEx, PayPal – companies we use everyday are commonly spoofed emails.
VERY prevalent around the holidays. On first glance, these fake emails are
so well crafted you’d never notice a difference.
Suspicion and couple seconds will reveal the difference.
Don’t take ZIP filesfrom strangers!
Warning Signs that this is a fake email: Bad grammar or misspellings. Do the links really go where they say? HTTP:// vs. HTTPS:// These companies will never send you
an attachment!!! Rather than clicking the link in the
email, go to the site itself. ALWAYS be wary. If you have doubts
don’t open it, don’t click it.
My password = PASSWORD
My password = PASSWORD There are 10 Immutable Laws of
Network Security. Law #5: Weak passwords trump strong
security. There are many ways to crack your
password. Key Loggers and Malware. Phishing.
My password = PASSWORD Social media harvesting and Google
hacking : Used to create tables of pertinent
information used in automated guessing attacks.
Using the names of people, places, things and dates that means something to us makes these attacks possible.
My password = PASSWORD Brute Force Password Attacks: What a hashed password looks like: BF733889685D4B3068EE38CF7D1CE36131D6CFE0D16AE931B73C59D7E0C089C0
vikings: 2 seconds Vikings: 6 minutes Vikings28: 55 days VikingsSuck!: 1397612 years, 6 months
My password = PASSWORD Minimum 12 Characters Complex (3 of 4: uppercase, lowercase,
number or symbol) Don’t use things that are easily
identifiable from social media. Don’t use your work password at home. Don’t just change 1 number each time.
It takes more than a firewall
It takes more than a firewall With so many threats, so many attack
vectors, we fight a multi-front war. 7-Character complex passwords aren’t
enough anymore. Enterprise Antivirus software is
essential, but it isn’t enough. A strong Firewall is essential, but it isn’t
enough. Security must be a responsibility of
every user, not just the IT guys.
It takes more than a firewall Keep staff updated of new threats. Acknowledge their successes in
spotting and avoiding danger, don’t just berate them when they fail.
We must keep users engaged; they MUST become a part of the security process.
Our users are our biggest vulnerability, but they are also our most effective line of defense.
Build yourself a Cyber Militia!