Hackers ♥ You! Why our behavior makes us easy targets for hackersL A N N Y M O R R O W, E N C E , C T F I | S E N I O R D ATA S C I E N T I S T | B K D , L L P

INTRODUCTIONS

Lanny Morrow, EnCE, CTFISenior Data Scientist

BKD, LLP Forensic Investigations DivisionBig Data & Analytics Division

About me22 years with BKDForensic Investigations, Cybersecurity, AnalyticsLead Digital Forensics ExaminerSenior Data Scientist in Big Data & Analytics practiceFounded fraud data analytics practice

The Geeky StuffArtificial Intelligence research and developmentDeveloped proprietary A.I. in 2009 to assist with investigationsA.I. “reads” emotion in communications, combs through social

media and documents for suspicious patterns, identify patterns in numeric/text dataCurrent focus: risk management in “systems”

Personal StuffMarried for 23 years this year5 children (3 girls, 2 boys), and 5 grandchildrenHobbies: video gaming, reading, gardening,

1950’s scifi & horror books and movies

Who are “hackers” anyway?

4

COMMON PERCEPTIONS OF “HACKERS”

5

THE REAL “HACKERS”

6

EVOLUTION OF HACKERS AND THEIR MOTIVATIONS

Traditional:Thrill seekersPioneersTeenagers

Current:TerroristsHacktivistsOrganized crimeState-sponsoredHacking as a business model

7

EVOLUTION OF HACKERS AND THEIR MOTIVATIONS

Old Tactics:• Highly sophisticated technical attacks• Required advanced training, intelligence

Current Tactics:• Social Engineering• Understanding of human nature and psychology• Social media, phone, email are primary tools• They let us do most of the work for them

8

CHARACTERISTICS Some may surprise you

SkilledPersistentSophisticatedTacticalWell fundedDifficult to detectWorks very well in teamsNot as sophisticated as you think – they don’t

need to beVery patientTypically not egotistical or arrogant

9

JUST HOW GOOD ARE THEY?

• Hackers shown 13 voting machines used in state and federal elections• No user guide, passwords, etc. – they were only connected to wifi• First machine was hacked in 30 minutes• All 13 machines were hacked within 90 minutes• Most of the hackers worked in ad-hoc teams – they had never met each other

10

HOW EASY IS IT TO HACK SOMETHING?

Resources abound

Current cyber threat landscape

12

THE TOP CYBERCRIMES

• Email compromise – 2,370% increase, $5 billion• Ransomware – 400% increase• Account takeover• Identity theft• Theft of sensitive data• Theft of intellectual property• Denial of service

13

INTERESTING STATISTICS

In 98% of breaches, it took attackers minutes or less to compromise systems

In 79% of cases, it took weeks or more to discover an incident occurred

Attackers take easiest route (81% leveraged weak, default or stolen passwords)

88% of breaches were made possible poor IT support processes, employee error & insider/privilege misuse of access

Lost / stolen devices a major source of breachesIn 86% of the cases where breach was through software

vulnerability, the patch for that weakness had been publicly available – for over a year

In 90% of those cases, IT had checked “yes’ on risk assessment questionnaire about whether software patches were up-to-date…

14

THE WEAKEST LINK IS….

YOU! (AND ME)

Human Attributes Exploited by HackersDistractedOverworkedCompartmentalizedDisengagedTrustingNaïveHurried

Situational factors vary the degree of these weaknesses, and hackers know how to capitalize on them:Attacks come on Friday afternoonsAttacks come at month/quarter/fiscal endsAttacks come just before holidays or days offTakes advantage of social media and timing of events

Why do they want your data?

“Follow the Money…”

• Credit/debit card information

• Potential Protected Health Information (PHI)

• Employee, customer, student data (PII)

• SSN, DOB, Address data

• User names & passwords

• Citizen data

• Email contents

• Computer contents (internet history, etc.)

TYPES OF DATA AT RISK

What is this “Dark Web”?• Less than 10% of the internet is accessible

through typical search engines

• The Deep Web is a part of the web that contains the most sensitive information

• The Dark Web is the part of the deep web that is intentionally hidden

Requiring an anonymizer to access (ex. Tor)

Uses .onion link; links often shift

Tor – The Onion Router

The Black Market of the Internet!

. Source: CISO Platform http://www.cisoplatform.com/profiles/blogs/surface-web-deep-web-and-dark-web-are-they-different

Less than 10% of Internet

Carding ForumJoker’s Stash is the most popular “carding” forum on the Dark Web. Credit cards, just $1 each!

Health Insurance Card for Sale

Email CompromiseOne of the two threats you’re most likely to experience

Current Trends• 2370% increase in past year• 2016 marked beginning of a heavy period of W-2 scams• Real estate transaction schemes increased 480% in 2017• Wire transfer frauds growing fastest• Increase in home PC compromise as conduit to organization

• Less security at home• Hackers infect machine with spyware• Gain webmail and other credentials• Two-factor authentication best defense

EXAMPLE: BUSINESS EMAIL COMPROMISE

• Controller receives email from “CFO” requesting all employee W-2s pursuant to an IRS inquiry

• Numerous employees contacted by real IRS about issues with their returns, or why they submitted two returns

• Needs it today (received in the afternoon)• Controller puts it all together into one PDF,

alphabetized• Hacker responds, telling her “this is more

than I had hoped for”• Compromised W-2 information sold on the

underground market

“Footprinting”

• Hackers monitor employees via corporate website, media & their personal social media

• Fake emails sent for purposes of reading “out-of-office” replies

• Learn their lingo, travel patterns, associations, when they take vacations

• Follow, steal mobile devices, set up fake hotspots near them

• Will strike when employees are out of pocket (vacations)

MANAGING EMAIL COMPROMISE RISK

Managing Email Compromise Risk

• Increase training & awareness• Require manual verification

• For example, call the customer/vendor to verify change in account info or wire transfer instructions

• Double check email addresses• In previous examples, email instructions involved or came from a different email

provider or domain than legitimate emails

• Do not open email messages or attachments from unknown individuals• Especially zip files• Or links embedded in suspicious looking emails

Managing Email Compromise Risk

• Know the habits of your vendors, including the details of, reasons behind & amount of payments

• Maintain a file, preferably in nonelectronic form, of vendor contact information for those who are authorized to approve changes in payment instructions

• Limit the number of employees within a business who have the authority to approve &/or conduct wire transfers

• Slow it down – does it really have to go out now?

Managing Email Compromise Risk

• Avoid free email accounts for business; get an established domain• Be careful what you post to social media & company websites,

especially job duties & descriptions, hierarchal information & out-of-office details

• Be suspicious of requests for secrecy or pressure to take action quickly

• Two-factor authentication• Watch for poor grammar, use of terms like “Kindly”

Suspicious lingo

• General poor English grammar, syntax or conflicting tenses

• "Kindly", such as "kindly update payment information" "kindly use this new account information"

• Requestor statements such as, "the usual bank account cannot receive payments at this time" or "our banking information recently changed" or “our regular bank account is under audit”

• Emails expressing urgency or immediate action such as "payment is supposed to /must be made today" "confirm you can get this done today" "process this as soon as possible". Often in tandem with a promise to send formal documentation or authorization later

• Emails that begin with "Are you in the office?" or "Are you available to process a payment?"

• "I can't take calls now", "can you do it without me?" in response to a verbal authorization attempt, or insisting on email communication only.

RansomwareOne of the two threats you’re district or organization is most likely to experience

Current Trends

Actors seek propagation to the entire networkMost institutions are hit again within a year after the first attackRansomware event is increasingly becoming a smokescreen for the

larger purpose of data exfiltration (data theft)Leveraging of social media to gain intel on the organization before

attacking. Sometimes months in the planning, but minutes in the execution

Increasing trend for ransom to be requested before the actual system attack

Current Bitcoin Pricing

MANAGING RANSOMWARE RISK

Managing the Ransomware ThreatEducation is key to preventing the “fatal click” IT Risk Assessment or Audit will draw out potential weaknesses In lieu of payment, can restore from backupsBackup policy should include special class of “essential operating items.”

These should be backed up dailyRestoring from a smaller set of essential files saves lots of time & money,

reduces down timeNotify local law enforcement. Paying the ransom will only encourage future

attemptsBut… many organizations stockpiling some BitCoin, just in case. Banks also

holding as a service to their customers

Preparing for the InevitableLife in an “not if but when” world

THE STORY … Executive of large industrial conglomerate was “footprinted”

by hackers through social media, corporate postings & email replies

Followed when on vacation; tablet was stolen when left unattended

Executive Footprinting

Tablet was not protected with a passcode Linked to corporate email account Executive didn’t disclose to IT until a barrage of phishing

incidents began Two weeks elapsed from theft to disclosure Elements of Equifax & Target incidents

Missteps

THE FALLOUT … Personally identifiable information (PII) of dozens of high-

ranking employees Personal tax return & SSN of executive & family Strategic plans, including acquisition/takeover plans

deemed “highly confidential” Trade secret information related to formulas, production

processes, etc. Personal website username/password information Password-protected documents – with password for those

documents provided in the “next email” Lingo used to request/authorize wire transfers Worse yet: communication lingo & patterns, identification

of employees responsible for wire transfers & holding sensitive information, etc.

Contents of Email

Account

Incident response plan brought into action All email account credentials changed Wire transfer protocols suspended – went to manual auth. Corporate account access credentials changed Law enforcement, external counsel, insurance notified Forensic preservation/investigation of affected assets Notification to affected parties; provided monitoring

Immediate Actions

Ironically, the executive did not fire himself for not taking cybersecurity more seriously …

Full IT risk audit was performed, including penetration testing (“stress testing”)

Training provided to executives & employees in key areas on cybersecurity awareness & habits

New policies created/enforced related to personal device usage

Others

THE EPILOGUE …

Personal cybersecurity

Most Common Passwords1. “password”

2. “12345”

3. Birthdate, anniversary date, or variation

4. Sports teams, hobbies, interests, children’s activities

5. Bonus question – most common garage door code?Mortgage Payoff Date (“0524”)

Personal Cybersecurity = Organizational Cybersecurity

• Don’t use Hotel or Public Wi-Fi!

• Personal VPNs (Nord, IPVanish, HMA - $2.99 - $9.99/month)

• Don’t comingle personal assets with work, you’re security probably isn’t as robust as your employer

• Set passcodes on mobile devices

• Don’t browse the web while logged in to accounts

• Links in emails – hover over them, don’t click

• Employers should provide VPN and/or mobile broadband cards to traveling employees

Public Wi-Fi and “Honeypots”

Personal Cybersecurity = Organizational Cybersecurity

• Use Two-Factor Authentication

• Secure wallets

• Use a “burn card”, carry cash as a backup

• Shred your personal trash

• Don’t be so open on social media

• Don’t throw away hard drives or USBs

• Cards with EMV chips

• If it feels weird, don’t do it

• Passwords – don’t be predictable

• Join a monitoring and protection service

• Search for yourself (haveibeenpwned.com)

Perils of Social Media

Perils of Social Media

Observations Scoreboard Team name Google photo search

for same picture on other social media

Facial recognition EXIF metadata (may

show geotag)

C.U.P.P.

The role of cyber insurance

Cyber Insurance• Traditional fraud / loss policies may not cover cyber events• Contact your insurance provider to see what is offered• When planning coverage, ask about various scenarios• Many insurers require incident response plans, proper protections before

they will pay• Many insurers require a forensic or law enforcement report of the incident,

performed by a 3rd party• Remember, insurance companies are not in the business of insuring

negligence

Final Thoughts

• Get Cyber Insurance

• Invest in education, training, awareness

• Test, test, test your incident response plan

• Risk cannot be eliminated or mitigated in the long run – think in terms of “managing”

• Develop your response team – and have frequent meetings, and resources to do their job.

• Partner with 3rd parties such as forensics, legal, and PR firms

• Watch your “personal cyber hygiene”

• The price of cybersecurity is eternal vigilance

Lanny MorrowSenior Data ScientistBKD, LLP1201 Walnut Street, Suite 1700Kansas City, Missouri 64106816.701.0225 Officelmorrow@bkd.comTwitter: @LannyMorrowLinkedIn: http://www.linkedin.com/in/lannymorrow

bkdrisk.com bkdforensics.com