Upload
others
View
14
Download
0
Embed Size (px)
Citation preview
Pwning, Phishing, Clickjacking: Risks to Data Security A Practical Approach
Presented by Kelli Tarala
Principal Consultant Enclave Security © 2019
2
"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019
Anatomy of a Breach
• Understand the Threat
• Recent Data Breaches
• Anatomy of a Breach
• What do we do about it?
3
"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019
2018’s Biggest Data Breaches
• Facebook 87 Million
• Marriott 500 Million
• Exactis 340 Million
• My Heritage 87 Million
• Quora 100 Million
• Aadhaar 1 Billion
4
"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019
Your Company Data & Customer’s Data Is At Risk
• Companies rely on maintaining the confidentiality, integrity, and
availability of data in order to stay in business
• Consider, what would happen if:
– Your customers’ credit card numbers are stolen?
– Your companies’ intellectual property was stolen and sold?
– Attackers accessed our networks via engineering systems?
– Your company’s networks had to be taken offline?
• It is not simply the security department’s responsibility to protect data
• Ultimately all of us are responsible for protecting this data
5
"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019
What’s the Vector, Victor?
Influence People
Install Malware
Steal Credentials
Infiltrate Networks
Exfiltrate Data
6
"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019
What is Pretexting?
• False narrative to gain information
• Social engineering
• Impersonating a person or position of authority
• Common forms include HR, Purchasing, CEO
7
"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019
What is Phishing?
• An email crafted to influence the receiver to “take the bait” via a
mouse click.
• A malicious attachment could link to a webpage that asks for
credentials
• A malicious attachment can install malware
• Phishing and pretexting represent 98% of social incidents and 93%
of breaches.
• Email continues to be the most common vector (96%).
Malwarebytes-Labs-2019-State-of-Malware-Report-1
8
"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019
Breach Case Study: RSA
• RSA breached via social engineering / phishing (4/2011)
• End user targeted with e-mail, Excel document “2011 Recruitment
Plan.xls” – contained malware that exploited an Adobe Flash
vulnerability
• The malware, once executed, ran a remote access Trojan based on
the Poison Ivy Toolkit
• Was not detected by anti-malware software on the end user’s
workstation
• Later led to breach of encryption keys used in the security of RSA
two-factor authentication
9
"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019
Anatomy of an Initial Breach: Phishing
10
"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019
Anatomy of a Breach (2)
Influence People
Install Malware
Steal Credentials
Infiltrate Networks
Exfiltrate Data
11
"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019
Sample Attack Tool: Poison Ivy RAT
12
"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019
Sample Attack Framework: Metasploit
13
"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019
Anatomy of a Breach (3)
Influence People
Install Malware
Steal Credentials
Infiltrate Networks
Exfiltrate Data
14
"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019
Web-based Attacks
• In addition to email, another common method for gaining initial
system access is via web browsers
• Attackers will place malicious code on websites, often legitimate
ones, and then convince victims to launch the code from the site
• These web-based attacks are referred to as watering hole attacks
• Be careful when surfing the Internet or using a browser, as unsafe
usage can lead to a system’s compromise
15
"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019
Breach Case Study: Facebook • Internal Facebook workstations compromised (1/2013)
• Breach was caused by an insecure version of Oracle Java running
on internal workstations
• Developers visited a mobile developer website hosting an Oracle
Java exploit
• Machines were patched & running up to data anti-malware, but were
still exploited
• No data was reported as compromised in the breach
• Believed to be the same exploit that affected Apple and Microsoft in
the same time frame
16
"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019
Anatomy of an Initial Breach: Watering Hole Attacks
17
"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019
Sample Attack Tool: Blackhole Exploit Toolkit
18
"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019
Anatomy of a Breach (4)
Influence People
Install Malware
Steal Credentials
Infiltrate Networks
Exfiltrate Data
19
"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019
Anatomy of an Lateral Movement
20
"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019
Anatomy of Breach (5)
Influence People
Install Malware
Steal Credentials
Infiltrate Networks
Exfiltrate Data
21
"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019
Anatomy of a Data Exfiltration Breach
22
"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019
Transition to Actionable Steps • Build an Information Assurance Program
• Define applicable regulations, standards, and laws
• Build a control library
• Build a Risk Management Program
23
"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019
Email Security What to do?
• Never click on links in emails
• If there is a URL worth visiting, re-type it in a browser
• Do not open email attachments unless you expect them
• Encrypt all sensitive information in email
• Tune network mail filters to block unwanted email
• Tune web filters to block access to malicious sites
24
"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019
Internet Security What to do?
• In addition to email, another common method for gaining initial
system access is via web browsers
• Attackers will place malicious code on websites, often
legitimate ones, and then convince victims to launch the code
from the site
• These web-based attacks are referred to as watering hole
attacks
• You be careful when surfing the Internet or using a browser, as
unsafe usage can lead to a system’s compromise
25
"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019
Safe Internet Surfing
• Therefore, only visit websites you trust, if it smells fishy, it probably is
• Remember, even big companies have been known to host malware
• Only use your computer for work related activities
• If a website asks to run a script (program) do not click OK
• If your browser warns you that a site is not safe, do not click OK
• If a pop up tries to scare you and click something, do not click OK
• If you aren’t sure if a site is safe, ask someone
• Remember, second to phishing, watering hole attacks are one of the
most common ways attackers find their way into an organization
26
"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019
Enter the CIS Critical Security Controls
• A realistic solution for defending against cyber security attacks
• It defines specific defenses against known cyber attacks
• Created and maintained by a volunteer army and the Center for
Internet Security
• Defined controls are not always easy, but they give organizations the
opportunity to prevent and detect attacks
27
"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019
Document Contributors
International Contributors Include:
• UK Government Communications
Headquarters (GCHQ)
• UK Centre for the Protection of National Infrastructure (CPNI)
• Australian Defence Signals Directorate (DSD)
• Japanese Security Researchers
• Scandinavian Security Researchers
• GCC Security Researchers
• Turkish Security Researchers
• Canadian Security Researchers
• Many other international researchers
US Contributors Include:
• Department of Homeland Security (DHS)
• National Security Agency (NSA)
• Department of Energy (DoE) Laboratories
• Department of State (DoS)
• US-CERT and other incident response teams
• DoD Cyber Crime Center (DC3)
• The Federal Reserve
• The SANS Institute
• Civilian penetration testers
• Numerous other Federal CIOs and CISOs
• Hundreds of other private sector researchers
28
"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019
The CIS Controls
11. Secure Configuration for Network Devices,
such as Firewalls, Routers and Switches
12. Boundary Defense
13. Data Protection
14. Controlled Access Based on the Need to Know
15. Wireless Access Control
16. Account Monitoring and Control
17. Implement a Security Awareness and Training
Program
18. Application Software Security
19. Incident Response and Management
20. Penetration Tests and Red Team Exercises
1. Inventory and Control of Hardware Assets
2. Inventory and Control of Software Assets
3. Continuous Vulnerability Management
4. Controlled Use of Administrative Privileges
5. Secure Configuration for Hardware and Software on
Mobile Devices, Laptops, Workstations and Servers
6. Maintenance, Monitoring and Analysis of Audit Logs
7. Email and Web Browser Protections
8. Malware Defenses
9. Limitation and Control of Network Ports, Protocols, and
Services
10.Data Recovery Capabilities
29
"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019
Summary
• Understand the Threat
• Recent Data Breaches
• Anatomy of a Breach
• What do we do about it?
30
"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019
Further Questions
• Kelli Tarala
– E-mail: [email protected]
– Twitter: @kellitarala
– Blog: http://www.auditscripts.com/
• Resources for further study:
– https://staysafeonline.org/
– https://haveibeenpwned.com/
– https://privacyrights.org