Cybersecurity— Part Two...3)An advanced attack comprises four stages: infection, persistence, communication, and command and control. 4)Advanced persistent threats are designed to

1

June6,2017

DeborahWeinswig,ManagingDirector,FungGlobalRetail&[email protected]:917.655.6790HK:852.6119.1779CN:86.186.1420.3016Copyright©2017TheFungGroup.Allrightsreserved.

1) InPartOneofthisDeepDivereport,weprovidedasummaryofthecurrentcybersecurityenvironmentanddiscusseditscomponents.

2) HereinPartTwo,wediscussthecomponentsandcharacteristicsofanadvancedattack,thedifferenttypesofattacksandvulnerabilities,andthedifferenttypesofhackers.

3) Anadvancedattackcomprisesfourstages:infection,persistence,communication,andcommandandcontrol.

4) Advancedpersistentthreatsaredesignedtoremainundetectedandtooperateoveralongperiod,slowlyaccumulatingdatafromserversanddatabases,aggregatingit,andthensendingitinabursttoaremoteserver.

5) Typesofattacksincludemalware,spam,botnetsandransomware,andhackerscantakeadvantageofvulnerabilitiesinsystems,suchastheuseofweakorcommonpasswords,inordertowageattacks.

6) Thetypicalhackerisnotsome15-year-oldworkingathisbedroomdesk,aswemightimagine.Rather,thereareavarietyofhackers,whoarecategorizedbythecolorof“hat”theywear,whichcorrespondswiththeirpresumedmotivation.Therearealsoorganizedcrimeandstate-sponsoredhackers.Thedarkwebhasemergedasamarketplaceforstolenpersonalinformation.

7) Fortunately,apowerfulcybersecurityindustryhasemerged,andmanyprivateandpubliccompaniesnowspecializeinprovidingtargetedhardwareandsoftwaresolutionstothwartandminimizetheimpactofcyberattacks.Venturecapitalinvestmentinthespaceisalsohealthy,keepingthelevelofinnovationhigh.

Deep Dive: An Introduction to

Cybersecurity—Part Two

Deborah Weinswig

Managing Director

Fung Global Retail & Technology

[email protected]

US: 917.655.6790

HK: 852.6119.1779

CN: 86.186.1420.3016

2

June6,2017


TableofContents

ExecutiveSummary.............................................................................................................3

AboutThisDeepDive..........................................................................................................4

ComponentsofanAdvancedAttack....................................................................................5Infection.......................................................................................................................................5Persistence...................................................................................................................................5Communication............................................................................................................................5CommandandControl..................................................................................................................5

CharacteristicsofanAdvancedPersistentThreat(APT).......................................................5

TypesofAttacks/Vulnerabilities..........................................................................................7Malware.......................................................................................................................................7Spam............................................................................................................................................9Botnets.......................................................................................................................................10DistributedDenialofService(DDoS)...........................................................................................11Ransomware...............................................................................................................................11PrivilegeEscalation.....................................................................................................................13Exploits.......................................................................................................................................13Backdoors...................................................................................................................................13BadPasswords............................................................................................................................14Hacktivism/Vigilantism/Cyberdissidents/Shaming......................................................................15Internet-PoweredBankHeists....................................................................................................15

TypesofHackers...............................................................................................................16OrganizedCrime.........................................................................................................................16TheDarkWebasMarketplace....................................................................................................17State-SponsoredHackers............................................................................................................17CurrentandFormerEmployees..................................................................................................18

NotableCasesofHacking..................................................................................................19

3

June6,2017


ExecutiveSummaryEversincehumansbegantreasuringobjectsofvalue,therehavebeenindividualswhohavewantedtostealordamagethoseobjects.Inourcurrentera,theInformationAge,datarepresentmanyofourobjectsofvalue.PCviruseshaveexistedessentiallysincetheadventofthePC.AndasthePC’scapabilitieshaveincreasedovertime,followingMoore’slaw,so,too,hasthevalueofthedataresidingonthem,makingthemanattractivetargetforcriminals.

TheinventionoftheInternethasmadetheworldflat,enablingustoshopandmakepurchasesfromfarawaycountries.Atthesametime,ithasenabledinvisiblecriminalsathomeandabroadtosometimesbreakintoourPCsandtakeourdata,lockupourdevicesinexchangeforransom,orcauseothertypesofhavoc.

Atonetime,cybersecuritysimplyconsistedofprotectingcomputersfromvirusesandmalwarethatcouldbehiddenonafloppydisk.Now,computerusersarevulnerabletopickingupsuchmaladieswhilebrowsingtheweb,usingamobilephone,loggingintoafreeWi-FiserviceorevenplugginginaUSBsticktheymighthavefound.

Unfortunately,theInternethasbecomeadarkerplace.Inthepast,teenagehackersmighthavebrokenintocomputersystemsinordertodemonstratetheirabilitiesandcauseminorchaos,butnow,organizedcriminalgangsarecolludingwithstate-sponsoredhackinggroupstoengageinlarceny,extortion,andcorporateandprivateespionage.Moreover,somemiscreantsarenowinvadingcomputersandencryptingtheharddrive,threateningtoreleaseitonlyinexchangeforaheftyransompaymentmadeinuntraceablebitcoin.

Forbothindividualsandenterprises,itisastruggletokeepthebadactorsatbay.Theyarerelentlessandtireless,andallittakesisonepersonclickingonthewrongemaillinktoletthemin.Cyberattacksarelargelyenabledbythehumanelement—byourownapathy,inattentiontodetailorlackofvigilance.HackersoftengetinwhenITmanagersdonotapplysoftwareupdatesorpatchesordonotheedtheyellowandredflagsgeneratedbysecuritymonitors.AndmanyITteamsdonothaveaplaninplacetodealwithbreak-ins,whicharealmostinevitable.Theburdenofcybersecurityfallsonallofus:tokeepcybercriminalsout,wemuststayontopofourgameandnotdozeoff.

Enterthegoodguys,offeringcybersecuritysolutions.Justaswehavetobuylockstoprotectourhomes,ITmanagershavetoarmthemselveswithasuiteoftoolstofendoffnetworkinvasions,oratleastminimizetheireffects.ThenegativePRandbusinessconsequencesthatcanresultfromanetworkincursionarejusttoogreatarisktonotdealwiththecybersecuritythreatproactively,asmanyretailersandgovernmentagencieshavepainfullylearned.

Inthisreport,weprovideageneraloverviewofcybersecurity,thedifferenttypesandmethodsofcyberattacks,andmanydetailsabouttheindustryandthecompaniesthatareworkingtokeepourdevicesandnetworkssafefromcybercriminals.

Unfortunately,theInternethasbecomeadarkerplace.Organizedcriminalgangsarecolludingwithstate-sponsoredhackinggroupstoengageinlarceny,extortion,andcorporateandprivateespionageandmiscreantsareencryptingharddrivesanddemandingthepaymentofransomware.

4

June6,2017


AboutThisDeepDiveFungGlobalRetail&TechnologyispublishingitsDeepDive:AnIntroductiontoCybersecurityinthreeinstallments.

TheExecutiveSummaryoutlinesthegrowthoftheInformationAgeandtheadventoftheInternet,thebenefitsofwhichhavebeentestedoftenbycorrespondingdevelopmentsincomputervirusesandmalware.Recently,though,theInternethasbecomeasignificantlydarkerplace.Thebadactorsonlineusedtobemostlyteenagehackers,buttheyarebeingreplacedbyorganizedcrimesyndicatesandstate-sponsoredhackerswithmuchbiggercriminalambitions.Thegoodguyshavelaboredtokeeppacewiththecybercriminals,andarichcybersecurityindustryhasemerged,withalargenumberofcompaniesspecializinginthevariousaspectsofonlinesecurity.

PartOne:IntroductionandComponentsofCybersecurityThegrowinginterconnectednessofcomputersandincreasinguseoftheInternetmakecomputersanirresistibletargetforcybercriminals.AsInternetusagehasincreasedandhackingtoolshavebecomemoreaccessible,thenumberofreportedcyberattackshasrisen.Thecat-and-mousegamebetweenvirusdevelopersandantivirussoftwaremakerscontinuedrelativelypeacefullyuntilabout2010,whenthebalancebetweenhackersanddefenderswasseverelyaltered.

In2013,theNationalInstituteofStandardsandTechnologydefinedfivecategoriesinaframeworkforreducingcyber-riskstoinfrastructure:identification,protection,detection,responseandrecovery.

PartTwo:ComponentsofanAdvancedAttack,CharacteristicsofanAdvancedPersistentThreat,andTypesofAttacksandHackersTheterm“APT”referstoanadvancedpersistentthreat,acyberattackinwhichanunauthorizedpersongainsandmaintainsaccesstoanetworkforanextendedperiodoftime.RecentAPTshavetargetedenterprises.

APTscantakeanumberofforms,includingmalware,spam,botnetandransomwareattacks,andhackerscantakeadvantageofvulnerabilitiesinsystems,suchastheuseofweakorcommonpasswords.

Typesofhackersincludescriptkiddiesandwhite,black,gray,green,redandbluehats.

PartThree:NewThreats/ThreatVectors,MarketsandCybersecurityCompaniesThenumberandkindsofcyberthreatscontinuetogrowandevolveduetoadvancesintechnologythatbenefitbothattackersanddefenders.

MarketintelligencefirmIDCforecaststhatglobalspendingoncybersecuritywillincreaseatan8.3%CAGRbetween2016and2020,growingfrom$73.6billionto$101.6billion.Thisgrowthrateismorethandoublethe3.3%CAGRthatIDCforecastsforworldwideITproductrevenuefrom2015through2020.

TheFungGlobalRetail&TechnologyteamhopesthatyouwillfindthisDeepDiveinterestingandinformativeandthatitwillhelpyouprotectyourenterpriseagainstcybersecuritythreats!

5

June6,2017


ComponentsofanAdvancedAttackAnadvancedattackcomprisesfourstages,accordingtoCybersecurityForDummies,PaloAltoNetworksEdition:infection,persistence,communication,andcommandandcontrol.

InfectionCyberattackexploitsgenerallyseektocauseabufferoverflowinthetarget’ssoftware,whichmakestheprogramquitandtransferstheattackertotheshell(orcommandline),therebyenablingtheattackertoentercommandsandgainaccess.Themalwareentersthetargetsystemviaoneofthefollowingmeans:

• Phishing/socialengineering

• Hidinginatransmissioninthesecuresocketslayer,instantmessagingorpeer-to-peertraffic

• Viaremoteshellaccess

• Drive-bydownload(theunintentionaldownloadingofavirusormalwareontoadevice)

PersistencePersistencereferstomalwareremainingwithinanetworkuntilactivated.Itcanmakeuseofarootkit(usingprivileged,root-levelaccess)orabootkit(modifyingthekernelorbootcode),oritcaninstallabackdoor.

CommunicationInthisstageofanattack,themalwareestablishesacommunicationchannelwiththeattacker.Suchchannelscanuseencryptionorunusualroutes,beembeddedinotherprotocols,useseveralornonstandardports,orroutecommunicationsviaseveralinfectedhosts.

CommandandControlThecommandandcontrolcomponentensuresthattheattackcanbecontrolled,managedandupdatedovertime.

CharacteristicsofanAdvancedPersistentThreat(APT)Theterm“APT”wascoinedbyUSmilitaryanddefenseagencies.Itreferstoanattackinwhichanunauthorizedpersongainsandmaintainsaccesstoanetworkforanextendedperiodoftime.WhileearlyAPTswereprimarilyaimedatpoliticaltargetsandgovernmentagencies,recentAPTshavetargetedenterprises.SonyPictures,HomeDepotandTargetarethreehigh-profileexamplesofcompaniesthathavesufferedAPTattacksinrecentyears.

APTsaredesignedtoremainundetected,allowingattackerstostealasmuchdataaspossible.Themalwareisdesignedtooperateoveralongperiod,slowlyaccumulatingdatafromserversanddatabases,aggregatingit,andthensendingitinabursttoaremoteserver.

APTsalsoseektomovefromoneservertothenextwithoutbeingdetectedbygeneratingrecognizablenetworktraffic.Oncethemalwareresidesonthetargetserverandothercriteriaaremet,theattackeithertakesdown

Theterm“APT”wascoinedbyUSmilitaryanddefenseagencies.Itreferstoanattackinwhichanunauthorizedpersongainsandmaintainsaccesstoanetworkforanextendedperiodoftime.WhileearlyAPTswereprimarilyaimedatpoliticaltargetsandgovernmentagencies,recentAPTshavetargetedenterprises.

6

June6,2017


thesystemorbeginstocontroloperations.ThediagrambelowillustratesthesevenstepsofanAPTattack,accordingtocybersecurityfirmNetswitch.

Figure1.TheSevenStepsofanAPTAttack

Source:Netswitch.net

Inthesesevensteps:

1. Socialengineeringisusedtoidentifythoseindividualspossessingtheneededaccessprivileges.

2. Spearphishingisusedtosendspoofedemailsormaliciouslinkstothoseindividualsinordertogainaccess.

3. Malwareinfectionoccursonthenetworkandthemalwarebeginsspreadingtoothersystems.

1.SocialEngineeringTargetsareidentifiedwhohavethenecessaryaccessprivileges.

2.Spear-PhishingAspoofede-mailsentwithmaliciouslinksorcontainingmalwareisdownloadedandinfectshigh-valueemployees.

3.MalwareInfectionThemalwareisdownloadedonasystemwithinthenetworkandstartsspreadingtoothersystems.

4.MappingAccesstothenetworkyieldsmappingcapabilitiesenablingidentificationofstrategicassets.

5.PrivilegeEscalationAttackersgainhigheraccessprivilegesenablingaccesstoadditionalresources.

6.NetworkSpreadThemalwarespreadsacrosstheentirenetwork,establishingfunctionalitytocommunicatewithacommand&control(C&C)Center.

7.ExecutionC&Cinfrastructureisactivatedandbeginstransmissiontoandfromthetargetedsystems.

7

June6,2017


4. Mappinglocatesthekeyassetswithinthenetwork.

5. Privilegeescalationgrantshigherprivilegesandaccesstohigher-levelresources.

6. Networkspreadoccurswithintheentirenetwork,enablingcommunicationwithacommand-and-controlcenter.

7. Executionofthetransmissionofthedesireddataisactivatedbythecommand-and-controlcenter.

TypesofAttacks/VulnerabilitiesAPTscantakeanumberofforms,includingmalware,spam,botnetandransomwareattacks,andhackerscantakeadvantageofvulnerabilitiesinsystems,suchastheuseofweakorcommonpasswords.

MalwareMalware,derivedfromthephrase“malicioussoftware,”issoftwaredesignedtoinvadeothers’computersandinflictharm.Examplesincludevirusesandworms(thetwomostcommontypesofmalware),inadditiontobotsandTrojans,asdescribedbelow.

Figure2.TypesofMalware

Type Characteristics

Bot Derivedfrom“robot,”abotrepresentsanautomatedprocessthatinteractswithnetworkservices.Botscancollectinformation(as“webcrawlers”)orinteractwithinstant-messagingorwebinterfacesand/orwebsites.

Trojan LiketheTrojanhorseinancientGreekliterature,aTrojanlookslegitimatebutcontainssomethingharmful,intheformofsoftware.Trojanscanalsocreatebackdoors,but,unlikevirusesandworms,theydonotreplicate.

Virus Likeahumanvirus,acomputervirusreplicatesbyinsertingacopyofitselfintoanotherprogram.Virusescancausedatadamagethroughdistributed-denial-of-service(DDoS)attacks.Theyaretypicallyattachedtoanexecutable(.exe)fileandtheyspreadfromonecomputertothenextvianetworks,externaldisks,filesharingore-mailattachments.

Worm Wormsworklikeviruses,butarestand-alonesoftwarethatrequireshumanassistancetospread.Awormentersasystemviaavulnerabilityorsocialengineeringandtravelswithinthenetworkviathesystem’sfile-orinformation-transportfeatures.

Source:Cisco

Thereisawidevarietyofmalwarethathasbeenfoundincyberspace,asdepictedbelow.

Malware,derivedfromthephrase“malicioussoftware,”issoftwaredesignedtoinvadeothers’computersandinflictharm.Examplesincludevirusesandworms(thetwomostcommontypesofmalware),inadditiontobotsandTrojans.

8

June6,2017


BrowserRedirection(JS)

PUAandSuspiciousBinariesTrojanDroppers(VBS)

TrojanDownloaders(Scripts)

Browser-RedirectionDownloads

Phishing(Links)AndroidTrojans(Iop)

BrowserRedirection

FacebookHijackingHeuristicBlocks(Scripts)

Trojans,Heuristic(Win32)

BrowseriFrameAttacks

Android(Axent)

AndroidTrojans(Loki)

Malware(FakeAvCn)

Trojans(HideLink)Malware(HappJS)

SampleCount

87,329

50,081

24,737

27,627

18,505

15,933

14,020

12,848

11,600

11,506

5,510

5,467

4,970

4,584

4,398

3,6463,006

FacebookScamLinks

35,887

PackedBinaries

TrojanDownloaders(JS)

7,712

5,996

Figure3.MostCommonlyObservedMalware,2016

Source:Cisco,2017AnnualCybersecurityReport

9

June6,2017


Thefigurebelowillustratesthemostcommonlyobservedtypesofmalwareduringafour-quarterperiodspanning2015–2016.Itshowsthatpotentiallyunwantedapplications(PUAs)andsuspiciousbinariesremainedafairlyconstantthreatovertheperiod,whereasthenumberofTrojandroppersdeclinedsharply.

Figure4.MostCommonlyObservedMalware,4Q15–3Q16

Source:Cisco

SpamSpamisnamedafterafamousskitbyBritishcomedytroupeMontyPythoninwhichtheword,whichisthenameofaHormelprocessed-meatproduct,isrepeatedinasillyway.Itisunwantedandirrelevantemailthatissentinbulktoalargenumberofrecipients—thedigitalversionofjunkmail.Spammayormaynotcontainmalware.Althoughmanyofusmayfeelliketheamountofspammailwereceiveissteadilyontherise,thegraphbelowshowsthatspamvolumehasvariedoverthepast10years.

Figure5.SpamTrapFlowStatistics(EmailsperSecond)

Source:Abuseat.org

SpamisnamedafterafamousskitbyBritishcomedytroupeMontyPythoninwhichtheword,whichisthenameofaHormelprocessed-meatproduct,isrepeatedinasillyway.Itisunwantedandirrelevantemailthatissentinbulktoalargenumberofrecipients.

10

June6,2017


Insomecases,authoritieshavebeenabletostopspammers.ShaneAtkinsonofNewZealandwasexposedasaspammerin2003followingthepublicationofanewspaperarticleabouthim.Hethenclaimedhewouldceasehisoperation,whichsentout100millionemailsperday.However,hecontinuedhisoperationandwasfinedNZ$100,000(US$70,474)in2008.

Thefigurebelowillustratesarecentexplosionintheincidenceofspamthatcontainsmaliciousattachments.

Figure6.PercentageofTotalSpamContainingMaliciousAttachments

Source:Cisco

Duetothehighvolumeofspamsent,andthehighlevelofirritationitcauses,anentireindustryhasemergedtopreventanddetectit.Butplentyofcompaniesstillgeneratespamemailaswellasmassmailingsforlegitimatepurposes.

Twoparticularlydifficulttypesofspamattackstodealwitharehailstormattacksandsnowshoeattacks,whichbothemployspeedandtargeting,andarehighlyeffective.Hailstormstargetantispamsystemsandtakeadvantageofthewindowoftimebetweenthelaunchofaspamcampaignandcoveragebyantispamscanners;typically,thewindowisonlyafewsecondsorminutes.Snowshoespamattacks,bycontrast,aimtoflyundertheradarofvolume-baseddetectiontoolsinasteadybutlow-volumeattack.

BotnetsAlargenumberofinfected,controlledcomputerscanbeaggregatedtoformabotnet,whichcaninflictlarge-scaleattacksonserversandcomputers.OneparticularlydestructivebotnetisMirai(Japanesefor“thefuture”),whichprimarilytargetsIoTdevicessuchasInternetcamerasandrouters.

Duetothehighvolumeofspamsent,andthehighlevelofirritationitcauses,anentireindustryhasemergedtopreventanddetectit.

11

June6,2017


DistributedDenialofService(DDoS)Adenial-of-service(DoS)attackattemptstodisruptanInternetserverbyfloodingitwithsuperfluousrequeststhatareintendedtooverloaditandcrowdoutthelegitimaterequests.ADDoSattackisaDoSattackimplementedfromalargenumberofcomputers,e.g.,fromabotnet.

RansomwareRansomwareisatypeofmalwarethatinfectsortakescontroloftheuser’smachineinanattemptbyahackertoextortapaymentfromtheuser.Themalwaretypicallylocksand/orencryptstheuser’scomputer,filesorapplicationsinordertopreventtheuserfromaccessingthem.

KasperskyLabcalled2016“theyearofransomware,”asmalwaredeveloperswerebusylastyeartransferringresourcesfromless-profitableschemestowardthedevelopmentofransomware.KasperskyLabnotedthefollowingwithregardtotheexplosionofransomwarein2016:

• Theappearanceof62newfamiliesofransomware

• Thenumberofransomwaremodificationsincreasedto32,091intheJuly–Septemberperiodfrom2,900intheJanuary–Marchperiod

• Thenumberofbusinessesattackedbyransomwareincreasedtooneevery40secondsinSeptemberfromoneeverytwominutesatthebeginningoftheyear

IBMX-ForceResearchfoundthatspamvolumequadrupledoveraperiodof23monthsfromJanuary2015throughNovember2016,includinganincreaseintheattachmentrateofransomwarefrom0.6%to40%.

Figure7.PercentageofSpamwithRansomwareAttachments

Source:IBMX-ForceResearch

Ransomwareisatypeofmalwarethatinfectsortakescontroloftheuser’smachineinanattemptbyahackertoextortapaymentfromtheuser.Themalwaretypicallylocksand/orencryptstheuser’scomputer,filesorapplicationsinordertopreventtheuserfromaccessingthem.

12

June6,2017


Therearethreemaintypesofransomware:

1. (B)lockers/lockscreenransomware,whichlockstheuser’sscreen,blocksallotherwindowsandpreventstheuserfromaccessingthedevice

2. (En)cryptors,whichencryptdataontheuser’sdeviceanddemandtheuserpaymoneytoreleasetheencryption

3. Masterbootrecordransomware,whichblockstherecordontheuser’sharddrivethatenablesstartup

Skiddieransomware(createdbya“scriptkiddie,”orunskilledindividual)isransomwarethatisbasedonprogramsdevelopedbyotherindividuals.Reaffirmingtheoldadageabouttherebeingnohonoramongthieves,KasperskyLabcommentedinitsKasperskySecurityBulletin2016,“Weexpect‘skiddie’ransomwaretolockawayfilesorsystemaccessorsimplydeletethefiles,trickthevictimintopayingtheransom,andprovidenothinginreturn.”

Cybercriminalstypicallydemandransomof$200–$10,000,accordingtotheFBI.IBMconductedaransomwarestudyandfoundthat54%ofconsumerssaidtheywouldpay$100forthereturnoftheirfinancialdata.Italsofoundthat55%ofparents,and39%ofnonparents,saidtheywouldpayforthereturnofpreciousphotos.

Ransomwareissurprisinglylucrativeforcybercriminalstargetingthecorporatesphere.TheCryptoWallransomwarehasgeneratedtotalransompaymentsof$325million,andthecriminalsbehindCryptoLockerclaima41%successrate,withtotalproceedsestimatedasmuchas$27million.AnIBMsurveyfoundthatsevenin10companiesthathavebeentargetedhavepaidextortioniststogetdataback.Ofthosecompanies:

• 11%paid$10,000–$20,000

• 25%paid$20,000–$40,000

• 20%paidmorethan$40,000

ThegraphicbelowdepictsanattackinwhichacriminalclaimingtobeactingonbehalfoftheUSDepartmentofJusticehasusedtheagency’slogoinordertoextortthevictimintopayinga$200ransom.

Ransomwareissurprisinglylucrativeforcybercriminalstargetingthecorporatesphere.TheCryptoWallransomwarehasgeneratedtotalransompaymentsof$325million,andthecriminalsbehindCryptoLockerclaima41%successrate.

13

June6,2017


Figure8.ExampleofRansomware

Source:Wired

Scarewareisalessharmfultypeofattackinwhichtheattackerattemptstoinducethevictimtopayinordertopreventorremedyanonexistentattack.

PrivilegeEscalationPrivilegeescalationreferstoexploitingabugorweaknessinanoperatingsysteminordertogainaccesstoresourcesthatwerenotassignedtotheuser.Examplesofprivilegesnormallyreservedforadeveloperorsystemadministratorincludeviewing,editingormodifyingsystemfiles.Verticalprivilegeescalation,orprivilegeelevation,referstoausergainingahigherprivilegelevel,suchasthatnormallyreservedforasystemadministrator.

ExploitsExploitsmakeuseofacommand,methodologyorroutineinsoftwarethatcanbeusedtotakeadvantageofsecurityvulnerabilities.Zero-dayexploitsmakeuseofundisclosedvulnerabilitiestoaffectcomputersystems.Exploitsoperatewithinthe“windowofvulnerability,”whichistheperiodbetweentheactivationoftheexploitandthepatchingofthevastmajorityofvulnerablesystems.GermancomputermagazineC’tdeterminedthatantivirussoftwarewasabletodetect20%–68%ofzero-dayviruses,andanInternetsecurityreportfromSymantecestimatedthattheaveragewindowofvulnerabilityis28days.

BackdoorsBackdoorsrefertosecret,undocumentedwaysofaccessingasystem,possiblyusinghigh-levelprivileges.Backdoorscanbeimplementedinahiddenpartofaprogram,anexternalprogramorthroughhardware,andtheycantaketheformofhardcodedpasswords.TheydifferfromEastereggs,whichareunauthorizedfunctionsinprogramsthatoftenpaytributetotheprogrammers.BackdoorsandEastereggscanofferopportunitiesfor

Zero-dayexploitsmakeuseofundisclosedvulnerabilitiestoaffectcomputersystems.Exploitsoperatewithinthe“windowofvulnerability,”whichistheperiodbetweentheactivationoftheexploitandthepatchingofthevastmajorityofvulnerablesystems.

14

June6,2017


hackersorcybercriminalstofindweaknessesandgainentryintoacomputerornetwork.

In2015,networkhardwaremakerJuniperNetworksdisclosedthatithadfoundunauthorizedcodeinanoperatingsystemrunningonsomeofitsfirewalls(existingsince2012).Thecodewouldhaveallowedattackerstotakecompletecontrolofitsenterprisefirewallsrunningtheaffectedsoftware.AttackerswouldalsohavebeenabletodecryptencryptedtrafficrunningthroughtheVPNonitsfirewalls.

Source:Juniper.net

Theadventofbackdoorshasmadetelecommunicationsequipmentpoliticallysensitive.FormerNationalSecurityAgency(NSA)contractorEdwardSnowdenrevealedthattheNSAroutinelyinterceptedroutersmanufacturedbyCisco—withoutCisco’sknowledge—andinstalledhiddensurveillancesoftwareonthempriortoexport.Topreventimportationofsuchhiddensurveillancesoftware,theUSgovernmentbannedcertainforeigntelecommunicationsequipmentprovidersfrombiddingongovernmentcontracts.

BadPasswordsInearlyversionsoftheUNIXoperatingsystem,allusers’passwordswerehashed(mathematicallytransformedintoanunintelligibleseriesofcharacters)andstoredinapubliclyaccessibledirectorycalled/etc/passwd.ItwassimpleforhackerstoruntheEnglishdictionarythroughthehashingalgorithmandfindpasswordsinthecommondirectorythatweresimpleEnglishwords.Sincethen,thepasswordfilehasbeenmovedto/etc/shadow,whichisaccessibleonlybyprivilegedusers,andmoresophisticatedhashingalgorithmshavebeendeveloped.

Manycomputerusers,overwhelmedbythenumberofpasswordstheyneedtomemorize,resorttosimplepasswordsthatcanbetypedeasilywithatraditionalQWERTYcomputerkeyboard.Thesepasswords,however,areeasilyguessedbyhackers.

15

June6,2017


Figure9.The25MostCommonPasswords,2016

123456

123456789

qwerty

12345678

111111

1234567890

1234567

password

123123

987654321

qwertyuiop

mynoob

123321

666666

18atcskd2w*

7777777

1q2w3e4r

654321

555555

3rjs1la7qe*

google

1q2w3e4r5t

123qwe

zxcvbnm

1q2w3e

*Thesepasswordswerelikelycreatedbybots.Source:HuffingtonPost.com

Passwordscontainingamixtureofcapitalandlowercaseletters,numbersandpunctuation(andnotcorrespondingtodictionaryentries)takeamuchlongeramountoftimetobegeneratedbyhackers’programs.

Hacktivism/Vigilantism/Cyberdissidents/ShamingSomeindividualsturntohackinginorderto,intheirview,dogood.Hacktivism(derivedfrom“hacking”plus“activism”)istheactofbreakingintoacomputersystemtofurtherapoliticalorsocialgoal.InternetvigilantismistheuseoftheInternet,includingsocialmedia,toexposescams,crimesorunwantedbehavior.

Cyberdissidentsareprofessionaljournalistsoractivistsorcitizenswhopostnews,informationorcommentaryontheInternetthatcriticizesaparticulargovernmentorregime.

OnlineshamingistheuseoftheInternetorsocialmediatopubliclyhumiliatethoseperceivedaswrongdoersinordertocounterinjustice.Shamingcaninvolvedoxing—disclosingaperson’sprivateinformationsuchastheiraddressandphonenumberonline—whichcanmakethesubjectatargetofthreatsorharassment.

Internet-PoweredBankHeistsInanapocryphalstory,wheninfamousbankrobberWillieSuttonwasaskedwhyherobbedbanks,hereplied,“That’swherethemoneyis.”Bythatlogic,itiseasytoseewhycybercriminalshaveturnedtheirattentiontoattackingfinancialinstitutionsontheInternet.

InitsKasperskySecurityBulletin2016,KasperskyLabnotedanincreasein“bankheists”in2016,includingattacksonstockexchangesand,notably,asuccessfulmalwareattackontheSWIFTglobalfinancialmessagingnetwork.

InanarticlepublishedMarch25,2017,TheNewYorkTimesnotedthatNorthKoreanhackingteamshaveturnedtheireffortstowardbanks.Thearticleassertsthatthecountrymaintainsanarmyof1,700hackersand5,000trainers,supervisorsandsupportstafflocatedinChina,SoutheastAsiaandEurope.ThegroupisallegedlybehindathwartedattackonaPolish

InitsKasperskySecurityBulletin2016,KasperskyLabnotedanincreasein“bankheists”in2016,includingattacksonstockexchangesand,notably,asuccessfulmalwareattackontheSWIFTglobalfinancialmessagingnetwork.

16

June6,2017


bank,thetheftof$81millionfromBangladesh’scentralbankandtheattackonSonyPicturesin2014.

TypesofHackersAccordingtocybersecurityeducationgroupCybrary,thetypicalhackerisnotthe15-year-oldboyworkingathisbedroomdeskthatwemightimaginebasedonwhatwehaveseeninmovies.Thegroupdefinessevendistincttypesofhackers:

Source:Cybrary.it

1. Scriptkiddie:Asmentionedpreviously,scriptkiddiescopyothers’codetorepurposeitasavirusorasastructured-programminglanguageinjection,whichisusedtoattackdatabases.

2. Whitehat:Thesehackers,alsoknownasethicalhackers,usetheircomputerskillstohelpothers.Forexample,theymighthelpcompaniestesttheirresiliencetooutsideattacks.

3. Blackhat:Thesearethebadactorswhoattempttofindbanksorcompanieswithweakdefensesinordertostealinformation.Thesetypesofhackerscanbemembersoforganizedcrimesyndicatesorstate-sponsoredinfiltrators.

4. Grayhat:Thesehackersaremoreambiguousintheirhackingaims(theyoperateinagrayarea).Theydonotgenerallystealfromtheirvictims,althoughtheymaydefacewebsites.Theytendnottousetheirhackingskillsforgood,althoughtheycouldiftheychoseto.

5. Greenhat:Thesearehackersintraining,or“n00bz”(“newbies”),whoseektolearnhackingsecretsfrommoreexperiencedhackers.

6. Redhat:Thisgrouprepresentsthevigilanteswithinthehackerworld.Theyusehackingtechniquestodisableorhinderotherhackers,suchasbyuploadingvirusestothehackers’ownsystems.

7. Bluehat:Thesearealsofairlyinexperiencedhackers,whoareknowntopurelyseektoenactrevengeonthosewhohaveangeredthem.

OrganizedCrimeCybercrimeisabillion-dollarindustry,accordingtotheUnitedNationsInterregionalCrimeandJusticeResearchInstitute,andthehighrewardsandlowriskassociatedwithcybercrimehaveattractedcriminalgroupsthatplan,organizeandcommitallformsofonlinecrime,includingfraud,theft,extortion,andchildabuse.ThedecentralizedstructureandanonymityoftheInternetmakeitdifficultforlawenforcementagenciestolocatecybercriminals.

Cybercrimeisabillion-dollarindustry,accordingtotheUnitedNationsInterregionalCrimeandJusticeResearchInstitute,andthehighrewardsandlowriskassociatedwithcybercrimehaveattractedcriminalgroupsthatplan,organizeandcommitallformsofonlinecrime,includingfraud,theft,extortion,andchildabuse.

17

June6,2017


Source:iStockphoto

TheDarkWebasMarketplaceTheanonymityofthedarkweb(ordeepweb)hasmadeitanidealmeetingplaceforcriminals,hackers,drugpeddlers,gamblersandchildabusers,amongothers.Aspreviouslymentioned,nation-state-gradehackingtoolsarenowavailableforasmallsum,payableinuntraceablebitcoin,makingitpossibleforalargernumberofindividualstocommithigh-levelattacks.

AMarch20,2017,articleintheInternationalBusinessTimesreportedthatadarkwebvendornamed“SunTzu583”hadoffered21,800,969Gmailaccountsfor$450(0.4673bitcoins)inadditionto5,741,802Yahooaccountsfor$250(0.2532bitcoins).Someoftheaccountsincludepasswordsorhashedpasswords,manyofwhichwerestolenasaresultofdatabreachesofMySpace,AdobeandLinkedIn,andwerealreadydisabled.

State-SponsoredHackersManyattackstodayarereportedlysponsoredbynondemocraticstatessuchasRussia,ChinaandNorthKorea.Thecountriesarereportedtosometimesactaloneandsometimesincooperationwithorganizedcrimesyndicates.TheUS,too,hasusedhackingandcyberwarfaretoachievemilitaryandforeign-policyobjectives.Forexample,theUSusedtheStuxnetwormtodisableIraniancentrifugesengagedinturninguraniumnuclearfuelintoweapons-gradematerial.

ExamplesofhackingbyRussia,ChinaandNorthKoreainclude:

• TheinfiltrationoftheUSDemocraticNationalCommitteenetworkbyGuccifer2.0,andthesubsequentleakofthedocumentstoWikiLeaks.Guccifer2.0claimedinaninterviewtobeRomanian,butcybersecurityexpertsbelievethattheentityisaRussianstate-sponsoredhackinggroup.

18

June6,2017


Source:Democrats.org

• ThehackingandreleaseofemailsresidingonSonyPictures’servers.ThehackwasattributedtoNorthKoreaasrevengeforSonyreleasingthefilmTheInterview,whichsatirizedNorthKorea’sleader,KimJongUn.

• Thetheftofasmanyas21.5millionrecordsfromtheUSOfficeofPersonnelManagement.Therecordsincludedsecurityclearanceinformation,personaldetailsandbiometricinformation.Chinaisthesuspectedperpetratoroftheattack.

• TheinfiltrationofUkraine’selectricalpowergrid,resultinginthreeenergydistributioncompaniesbeinginvaded,30electricalsubstationsbeingswitchedoff,andabout230,000peoplebeingleftwithoutpowerforseveralhours.Accordingtocompanyrepresentatives,theattackderivedfromcomputerswithRussianIPaddresses.

CurrentandFormerEmployeesUnfortunately,manyinformationsystemsareinfiltratedbydisgruntledemployeesorformeremployees.Currentemployeescansometimesobtainsupervisorcredentialsandusethemtograntthemselvesortheircohortscertainprivileges(privilegeescalation).Theseprivilegesallowthemtosnooponoff-limitsservers,dataandservices,whichcanbeviewedforentertainment,datatheftorsabotage.

Inaddition,employeesinsomeindustries(suchasfinancialservices)mayseektotransfersensitivecompanyinformation,includingclientlistsandotherdata.Theymaytransfertheinformationbyemail,byuploadingittocloud-basedserversorbysavingittoanexternalstoragedevicebeforeleavingtoworkforacompetitor.

Unfortunately,manyinformationsystemsareinfiltratedbydisgruntledemployeesorformeremployees.Currentemployeescansometimesobtainsupervisorcredentialsandusethemtograntthemselvesortheircohortscertainprivileges(privilegeescalation).

19

June6,2017


NotableCasesofHackingTherehavebeenanumberofhigh-profilehacksoflargecorporationsinrecentyears,including:

• HomeDepot:Anindividualwhostoleavendor’spasswordandusedvulnerabilitiesintheWindowsoperatingsystemtomovetoamoresecuresystemstoleinformationon56millioncreditcardaccounts,aswellas53millionemailaddresses,fromHomeDepot.AWindowspatchwasinstalled,butnotuntilaftertheinfiltratorhadalreadyenteredthesystem.

• RSA:Ironically,thiscybersecuritycompany(nowadivisionofDell)wasinvadedinMarch2011viaaphishingemailembeddedinaMicrosoftExcelworksheet.TheemailallowedahackertotakeadvantageofavulnerabilityinAdobeFlashsoftwaretoinstallabackdoor,whichwasthenusedtostealpasswordsandcompanydata.

• Target:InDecember2013,Targetdisclosedthathackershadstolencreditanddebitcarddataonasmanyas40millionaccountsviamalwareinstalledinthecompany’spaymentsystem.Thecompany’sFireEyemalwaredetectionsoftwarehadissuedanalert,butitwasnotheeded.

• TJXCompanies:Overan18-monthperiodthrough2007,46.5millioncreditanddebitcardnumberswerestolenfromTJXCompanies.Atthetime,itwasthelargestdatabreachever.

• Yahoo:InFebruary2017,Yahoodisclosedthatithadbeenhackedathirdtime.AbreachinAugust2013allowedhackerstostealdetailsfor1billionuseraccounts.

20

June6,2017


DeborahWeinswig,CPAManagingDirectorFungGlobalRetail&TechnologyNewYork:917.655.6790HongKong:852.6119.1779China:[email protected],CFASeniorAnalystHongKong:8thFloor,LiFungTower888CheungShaWanRoad,KowloonHongKongTel:85223004406London:242-246MaryleboneRoadLondon,NW16JQUnitedKingdomTel:44(0)2076168988NewYork:1359Broadway,9thFloorNewYork,NY10018Tel:6468397017

FungGlobalRetailTech.com

Documents

Cybersecurity— Part Two...3)An advanced attack comprises four stages: infection, persistence, communication, and command and control. 4)Advanced persistent threats are designed to