Pwning, Phishing, Clickjacking: Risks to Data Security...3 "Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019 2018’s Biggest Data Breaches •Facebook

Pwning, Phishing, Clickjacking: Risks to Data Security A Practical Approach

Presented by Kelli Tarala

Principal Consultant Enclave Security © 2019

2

"Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019

Anatomy of a Breach

• Understand the Threat

• Recent Data Breaches

• Anatomy of a Breach

• What do we do about it?

3


2018’s Biggest Data Breaches

• Facebook 87 Million

• Marriott 500 Million

• Exactis 340 Million

• My Heritage 87 Million

• Quora 100 Million

• Aadhaar 1 Billion

4


Your Company Data & Customer’s Data Is At Risk

• Companies rely on maintaining the confidentiality, integrity, and

availability of data in order to stay in business

• Consider, what would happen if:

– Your customers’ credit card numbers are stolen?

– Your companies’ intellectual property was stolen and sold?

– Attackers accessed our networks via engineering systems?

– Your company’s networks had to be taken offline?

• It is not simply the security department’s responsibility to protect data

• Ultimately all of us are responsible for protecting this data

5


What’s the Vector, Victor?

Influence People

Install Malware

Steal Credentials

Infiltrate Networks

Exfiltrate Data

6


What is Pretexting?

• False narrative to gain information

• Social engineering

• Impersonating a person or position of authority

• Common forms include HR, Purchasing, CEO

7


What is Phishing?

• An email crafted to influence the receiver to “take the bait” via a

mouse click.

• A malicious attachment could link to a webpage that asks for

credentials

• A malicious attachment can install malware

• Phishing and pretexting represent 98% of social incidents and 93%

of breaches.

• Email continues to be the most common vector (96%).

Malwarebytes-Labs-2019-State-of-Malware-Report-1

8


Breach Case Study: RSA

• RSA breached via social engineering / phishing (4/2011)

• End user targeted with e-mail, Excel document “2011 Recruitment

Plan.xls” – contained malware that exploited an Adobe Flash

vulnerability

• The malware, once executed, ran a remote access Trojan based on

the Poison Ivy Toolkit

• Was not detected by anti-malware software on the end user’s

workstation

• Later led to breach of encryption keys used in the security of RSA

two-factor authentication

9


Anatomy of an Initial Breach: Phishing

10


Anatomy of a Breach (2)

Influence People

Install Malware

Steal Credentials

Infiltrate Networks

Exfiltrate Data

11


Sample Attack Tool: Poison Ivy RAT

12


Sample Attack Framework: Metasploit

13



Influence People

Install Malware

Steal Credentials

Infiltrate Networks

Exfiltrate Data

14


Web-based Attacks

• In addition to email, another common method for gaining initial

system access is via web browsers

• Attackers will place malicious code on websites, often legitimate

ones, and then convince victims to launch the code from the site

• These web-based attacks are referred to as watering hole attacks

• Be careful when surfing the Internet or using a browser, as unsafe

usage can lead to a system’s compromise

15


Breach Case Study: Facebook • Internal Facebook workstations compromised (1/2013)

• Breach was caused by an insecure version of Oracle Java running

on internal workstations

• Developers visited a mobile developer website hosting an Oracle

Java exploit

• Machines were patched & running up to data anti-malware, but were

still exploited

• No data was reported as compromised in the breach

• Believed to be the same exploit that affected Apple and Microsoft in

the same time frame

16


Anatomy of an Initial Breach: Watering Hole Attacks

17


Sample Attack Tool: Blackhole Exploit Toolkit

18



Influence People

Install Malware

Steal Credentials

Infiltrate Networks

Exfiltrate Data

19


Anatomy of an Lateral Movement

20


Anatomy of Breach (5)

Influence People

Install Malware

Steal Credentials

Infiltrate Networks

Exfiltrate Data

21


Anatomy of a Data Exfiltration Breach

22


Transition to Actionable Steps • Build an Information Assurance Program

• Define applicable regulations, standards, and laws

• Build a control library

• Build a Risk Management Program

23


Email Security What to do?

• Never click on links in emails

• If there is a URL worth visiting, re-type it in a browser

• Do not open email attachments unless you expect them

• Encrypt all sensitive information in email

• Tune network mail filters to block unwanted email

• Tune web filters to block access to malicious sites

24


Internet Security What to do?

• In addition to email, another common method for gaining initial

system access is via web browsers

• Attackers will place malicious code on websites, often

legitimate ones, and then convince victims to launch the code

from the site

• These web-based attacks are referred to as watering hole

attacks

• You be careful when surfing the Internet or using a browser, as

unsafe usage can lead to a system’s compromise

25


Safe Internet Surfing

• Therefore, only visit websites you trust, if it smells fishy, it probably is

• Remember, even big companies have been known to host malware

• Only use your computer for work related activities

• If a website asks to run a script (program) do not click OK

• If your browser warns you that a site is not safe, do not click OK

• If a pop up tries to scare you and click something, do not click OK

• If you aren’t sure if a site is safe, ask someone

• Remember, second to phishing, watering hole attacks are one of the

most common ways attackers find their way into an organization

26


Enter the CIS Critical Security Controls

• A realistic solution for defending against cyber security attacks

• It defines specific defenses against known cyber attacks

• Created and maintained by a volunteer army and the Center for

Internet Security

• Defined controls are not always easy, but they give organizations the

opportunity to prevent and detect attacks

27


Document Contributors

International Contributors Include:

• UK Government Communications

Headquarters (GCHQ)

• UK Centre for the Protection of National Infrastructure (CPNI)

• Australian Defence Signals Directorate (DSD)

• Japanese Security Researchers

• Scandinavian Security Researchers

• GCC Security Researchers

• Turkish Security Researchers

• Canadian Security Researchers

• Many other international researchers

US Contributors Include:

• Department of Homeland Security (DHS)

• National Security Agency (NSA)

• Department of Energy (DoE) Laboratories

• Department of State (DoS)

• US-CERT and other incident response teams

• DoD Cyber Crime Center (DC3)

• The Federal Reserve

• The SANS Institute

• Civilian penetration testers

• Numerous other Federal CIOs and CISOs

• Hundreds of other private sector researchers

28


The CIS Controls

11. Secure Configuration for Network Devices,

such as Firewalls, Routers and Switches

12. Boundary Defense

13. Data Protection

14. Controlled Access Based on the Need to Know

15. Wireless Access Control

16. Account Monitoring and Control

17. Implement a Security Awareness and Training

Program

18. Application Software Security

19. Incident Response and Management

20. Penetration Tests and Red Team Exercises

1. Inventory and Control of Hardware Assets

2. Inventory and Control of Software Assets

3. Continuous Vulnerability Management

4. Controlled Use of Administrative Privileges

5. Secure Configuration for Hardware and Software on

Mobile Devices, Laptops, Workstations and Servers

6. Maintenance, Monitoring and Analysis of Audit Logs

7. Email and Web Browser Protections

8. Malware Defenses

9. Limitation and Control of Network Ports, Protocols, and

Services

10.Data Recovery Capabilities

29


Summary

• Understand the Threat

• Recent Data Breaches

• Anatomy of a Breach

• What do we do about it?

30


Further Questions

• Kelli Tarala

– E-mail: [email protected]

– Twitter: @kellitarala

– Blog: http://www.auditscripts.com/

• Resources for further study:

– https://staysafeonline.org/

– https://haveibeenpwned.com/

– https://privacyrights.org

mailto:[email protected]

http://www.enclavesecurity.com/blogs/

https://www.staysafeonline.org/

http://www.securingthehuman.org/resources/newsletters/ouch/2014

http://www.securingthehuman.org/resources/newsletters/ouch/2014

https://privacyrights.org/

Documents

Pwning, Phishing, Clickjacking: Risks to Data Security...3 "Pwning, Phishing, Clickjacking: Risks to Data Security" © Enclave Security 2019 2018’s Biggest Data Breaches •Facebook