cyber security risks and mitigation for sme · – mostly on traditional threats (email and web...
TRANSCRIPT
Cyber Cyber Security Risks Security Risks and Mitigationand Mitigation for SMEfor SME
SC LeungCISSP CISA CBCP
Page 2
Who are we?
HKCERT– Established in 2001. Operated by HK Productivity Council– Provide Internet users and SME services (free-of-charge)– Scope of services
• Security Monitor and Early Warning• Incident Report Handling • Publication of Guideline• Public Awareness Education
– www.hkcert.org– Free subscription of alert information via email and mobile (we
pay for the SMS charges)– Hotline: 8105-6060
Security Challenges to Security Challenges to SMEsSMEs
Page 4
SME
What is SME / SMB?– < 50 employee, or <100 employees in manufacturing (HK definition)
Security Challenge of SME– Lack of resources in general
– IT management: part-time responsibility
– Lack of IT and information security expertise
– Has sensitive data (staff, customer, business proprietary info.)
– Can become easy targets of attack
Page 5
SME Threat Awareness
Target of attacks– 40%: SME
– 28%: Larger Enterprises
What’s worst that could happen if a small business is attacked? – 54%: loss of productivity
– 36%: theft of proprietary or protected information
– Reference: Symantec 2011 SMB Threat Awareness Poll
• http://www.zdnet.com/blog/small-business-matters/smbs-more-security-savvy-but-dont-see-themselves-as-targets/707
Page 6
SME Security Focus and Blind Spots
Focus on Threats– Mostly on traditional threats (email and web malware …)– Becoming aware of new threats: social engineering and information theft
Concern on Security Breach– No breach experience concerns short term issues (time and cost to recover)– Had breach experience concerns long term impacts (loss of sales …)
Awareness on New Technology– Aware of opportunities like mobile computing, social media, cloud computing– Few aware of IT security risks associated with them
– Reference: AVG SMB Market Landscape Report 2011 (US & UK)http://www.avg.com.au/files/media/AVG_SMB_Market_Landscape_Report_2011_FINAL.pdf
Attackers and MotivesAttackers and Motives
Page 8
Attackers and Motives
Kiddies and Early Hackers– Fame, recognition, 2000s
Activists: Hacktivism– Anonymous, Lulzsec groups, 2011
Cyber Warfare– Attack state critical infrastructure
• Stuxnet on Iranian nuclear plant, 2010• USA drone malware, 2011
Business Relevant
Cybercriminals: Money– Theft of information– Extortion– Control machine for other purposes
Unfriendly parties– Disgruntled employees
- loss of reputation via data leakage or scandals
– Business competitors• DoS• Theft of business sensitive information,
patent, forumla
Page 9
Underground Economy
Sales ranking on underground economy (Source from Symantec)
Page 10
DDoS rose by 700% in 2011
Worldwide Infrastructure Security Report 2011 (Arbor Networks)– DDoS increases
– Major in ideology (hactivism)
– Flooding attack: average bandwidth 10Gbps, largest 60Gbps
• 74% respondents: target is the customers
– L7 (application layer) DDoS more common
• HTTP > DNS > SMTP > HTTPS
– HTTP Get flood, HTTP Post flood
DDoS Trend
DDoS Trend 2011Source: CloudFlare
Page 11
DDoS Attack Surge
Cases in Hong Kong– 第一亞洲商人金銀業有限公司 (Feb-2012)
• Motive: extortion
– HK Stock Exchange 披露易 (Aug-2011)
• Motive: Unknown
Two macro trends– Political: attacks aimed at journalists covering human rights
abuses in Angola, bloggers writing about alleged election fraud in Russia, escort sites in Turkey … and sites offering surrogate mother services in China.
– Financial• extortion directed at ecommerce sites with around USD$1
million in monthly revenue
• proceeded by a letter demanding a payment or threatening an attack.
Page 12
DDoS Attack Defense
Deploy Application Firewall to block application layer (L7) DDoS– Drop traffics not conforming to protocol standard
Prepare for bandwidth adequacy with ISP Provision web service on Cloud (bandwidth $$$) Subscribe web security managed service on cloud (web attack and
small volume DDoS attack) Subscribe to DDoS scrubbing service (more costly)
Reference: – “DDoS Attack and Defense” @HKCERT seminar 2011-10-21
• https://www.hkcert.org/my_url/zh/event/11102101
VulnerabilitiesVulnerabilities
Page 14
Vulnerabilities
Insecure Configuration defaults – AutoRuns in USB, CDROM …
– WLAN default settings
All software have security holes– Opportunity window between
discovery of Vulnerability and availability of Patch
People can be cheated– “Social Engineering” techniques
– Attackers gain trust from victims
System and System and ApplicationsApplications HumanHuman
Page 15
Mitigation(Technology /
Awareness)
Threats, Vulnerabilities, Risks, Attacks and Mitigations
Vulnerabilities(System / Human)
Your System /Data
Threats (Attackers + Motives)
Attacks
Your System / Data
Threats (Attackers + Motives)
CompromisedSystem / Data
AttacksRisks
Risks
Page 16
Case of Mac OS Security
Some people think “We don’t need anti-virus for Mac OS” Is this true?
Flashback Trojan for OS X– Sep 2011, pretended to be Adobe Flash installer– Mar 2012, target Java runtime vulnerability of MAC computers
• Said to have infected 600,000 Mac computers Vulnerability management problem of APPLE
– Flashback targeted a vulnerability of JAVA– Apple does not have patch schedule– Apple late patch for JAVA
• available only in Mar 2012 (but Oracle released patch in Nov 2011)
Conclusion – No system can claim to have no security hole
AttacksAttacks
Page 18
Attacks tactics
Social Engineering (use human vulnerabilities)– Spoofing, “Jetso”, Fear (& Urgency), Authority
Malware & Botnet
Advanced Man-in-the-Middle attacks
Targeted Attack (mix of social engineering and advanced attacks)
Identity Theft Identity Theft who are you really talking to?who are you really talking to?
Page 20
Email: spoof sender
Spoof email sender lure to install malware or visit a malicious website user get infected PC controlled, keystroke logged.
– Email protocol (SMTP) is open to spoof
Page 21
Website: spoof web identity
Spoofed website lure user to input username, password, credential
Page 22
Malware 2.0
Evade DetectionEvade Detection Command & ControlCommand & Control
Forming a BotnetManage & Update
Malware today causes victim PC becoming part of botnetMalware today causes victim PC becoming part of botnet
Page 23
Malware Propagation channels
Fake security software Fake video player codec Social network website
redirect
ExecutablesExecutables Document Malware Website
Page 24
Malware Propagation channels
Executables Document Document MalwareMalware
Embedded malware in PDF or Office files Zeus botnet served
PDF malware
Website
Image by Websense
Page 25
Malware Propagation channels
Executables Document Malware WebsiteWebsite
Legitimate and trusted websites compromisedWeb admin incapable
to detect and mitigate the risks
Page 26
Redirecte
d to Malware
server
Download
Malw
are
Exploits imported from other servers via iframes, redirects When compromised, dropper download and install the actual
bot malware
Multi-stage infection (drive-by download)
Exploit serverWeb server (injected) Malware Hosting
Browser
Web request
Serve Exploit Page
Redirected to
Exploit server
Page 27
victim victim
Threat: Botnet (roBot Network) is major
Bot Herder
bot bot bot
C&C
Command & Command & Control CentreControl Centre
BotsBots
attacks
Your computers!
Services Manage Update Survive the adverse
Page 28
Reporting Party (2010/11)
27.84%
44.25%
27.92% local
overseas
proactivediscovery
Attacks are less visible now
– Victim report figure is low.
– Compromise becomes visible when victim machine being used to participate in phishing, malware hosting or other attacks
1. Overseas parties reported incidents to HKCERT
2. HKCERT use proactive discovery methodologies to find out hacked machines in Hong KongHKCERT Incident Reports
Page 29
Botnet targeting Banks and e-Commerce
Zeus and SpyEye Botnets– steals banking information by Keylogging and Form
Grabbing
– features:
• Take screenshot (save to html without image)
• Fake redirect (redirect to a prepared fake bank webpage)
• HTML inject (hijack the login session and inject new field)
• Log the visiting information of each banking site, record the input string (text or post URL)
Page 30
Man-in-the-Browser (one kind of man-in-the-middle)
Hackers’ dream: breaking two factor authentication– Intercept transaction- hook major OS
and web browser APIs and proxy data
Rewrite the screen. Trick user to enter credentials.
Change amount and change destination to attacker account
Change the display to user as if his transaction was executed– Calculate the “should be amount”.
Rewrites the remaining total– Store in database in the cloud the
amount transacted in user's perspective
Source: www.cronto.com
Page 31
Inserting transaction (when login)
Login Trojan kick upshadow login at
the back
Submit
Submit
Shadow Login
“Not successful. Please retry after 1 minute”
PIN + OTP
PIN + OTP2
PIN + OTP
Hacker use OTP2 to authenticate a transaction
Insert a new window
Page 32
Zeus in the Mobile
ZitMo (reported in Sep-2010)– Zeus ver 2.0, with Man-in-the-Mobile
(MitMo) feature
– Mobile Infection:
• Start from Infected PC visit bank website
• Get user phone # via fake form
• Send a new "digital certificate" to user phone
• User install the “certificate” (malware)
– Sniff the SMS messages when waken up. Forward SMS (OTP) to hacker
2011-July
Page 33
Mobile Malware
Mobile malware overtaking PC malware (McAfee Threat Report Q3, Q4 2011) Android malware risk factor going high
– Unregulated Android Market
– Rooting app available – install and click a button
– Attackers repackaging those same root exploits with malware
Massive infection 5M machines (Jan 2012)– "Android.Counterclank”, a Trojan packed in 13 apps
• Collect information including bookmarks, handset model
• Modifies the browser's home page, push unwanted ads.
Android Malware– Mostly for-profit SMS-sending Trojans
– Collect personal data for phishing or ID theft
– used in hactivism in Tunisia
Mobile malware samples
Page 34
Mobile banking – is it secure
Two factor authentication using SMS?– Some banks start to use as the client tool
– Loss of out-of-band communication when using SMS as soft token token device is recommended
Unauthenticated mobile Apps
Hackers ported Zeus botnet to mobile– Zeus: botnet targeting financial institutions
– Man in the Mobile attack (Mitmo)
Page 35
Are you the next Targeted Attack?
Target businesses, political organizations, NGOs– By hostile party with purpose
– Long term persistent attack: learned and targeted
– Damage: financial, remedial and reputation
Targeted Incidents 2011– Sony, Google, RSA, Diginotar …
Page 36
Are you the next Targeted Attack?
Phases– Malware infection on target user or group (staff, customer)
• Specific malware (non public) via email, social network sites• Malware keep very low profile, periodically updated to keep long term control
– Collect Intelligence• Learn the names, alias used; tone of communication• Learn the business process, schedule• May combine with physical interaction like phone call, fax, human interactions
– Targeted Activities (use technology / social engineering)• Steal / leak sensitive information• Spoof transaction process
– Use social engineering skills to change transaction flow– Use advanced man-in-the-middle technique to change the transaction flow
• Others, e.g. infiltrate into critical infrastructure and do damage
CountermeasuresCountermeasures
Page 38
First Thing First -- Data Classification
Classify data– Classification of data according to sensitivity level
Protect data according to sensitivity– Set up data protection policy– Separate storage of sensitive data (different room, cabinet, network and server)
• Do not mix guest Wifi network with office LAN …• Do not mix HR/Finance server with office file server
– Set access control according to role– Prohibit taking sensitive data out of office– Encrypt sensitive data (esp. when taking them out of office)– Backup data (for recovery when necessary), store backup tapes offsite
HKCERT Data Protection Guide– https://www.hkcert.org/my_url/zh/guideline/08092302
Page 39
Second Thing – Set up Baseline Defense
Install Security Suite (anti-virus, anti-sypware, personal firewall, …)– Turn on Real-time protection– Scan periodically for malware– Update security signatures
Install (personal) firewallUpdate security patches (important!)
– Secunia Personal Software Inspector manage MS and non-MS software
• http://secunia.com/vulnerability_scanning/personal/
Use browser securely
Page 40
Patching your vulnerabilities
Secunia Personal Software Inspector– Personal Use only
Page 41
Use Browser Securely
Use newer and secure browsers – (Chrome 16+, FF 9+, IE 9+) has security features: URL blocking,
sandbox, private browsing
– Avoid installing add-ons (extension, activeX objects …) on the browser
Use separate browsers for casual browsing and transactionsBeware of Tabs
– When you login in one tab, other tabs share same cookie/session• http://mysecure.blogspot.com/2011/03/surfing-secure-for-cookiesession.html
Clean browsing historyUse Private Browsing in public kiosk
Page 42
Browser warning on malicious site
Page 43
Verify web site identity
SSL (HTTPS) enabled sites provides– Encrypted connections
– Authenticated source
– Remember to log out when done
Page 44
Chain of Trust
Untrusted root certificate
Root CA certServer Cert
Root CA certIntermediate CA certServer Cert
Example: a public certificate of an online banking web site
Page 45
Valid Date Expired Certificate
Page 46
Scan for malware files - VirusTotal
Page 47
Mobile Malware
Android Malware Vulnerability Database (PolyU research)– http://www4.comp.polyu.edu.hk/~appsec/
Mobile malware analysis website– http://mobile-sandbox.com
Page 48
Adopt Good Password Practice
Attack on Password– Brute force attack or Insider educated guess
Good Password Rule– Easy to remember AND hard to guess
• Something of personal experience
• Substitute numbers for letters, characters for letters
– Hard to brute force attack
• Length>=8, mix of digit, alphabet (upper & lower case), symbols
– Meets company standards and system requirements
Something personal
I like going for picnics on Sundays
Example of a strong password
i Like Going 4 Picnics at3und4ys
iLG4P@3und4ys
Page 49
Beware of Data Leakage
Leakage via loss of removable device – USB devices carry a lot of data (8-32GB)
– Encryption is good practice
File Share Leak! Leak!– Do NOT install File Share software like Foxy
– Shared file has no privacy
• Shared data are public on the Internet
• Search engine helps explore the sea of data
• Search engine cached links to data -- takes longer time to clear
Page 50
Build the Human Firewall
Communicate a simple and clear security policy to all staff– Written Policy on Intranet, notice board– Incident Report channel
Educate ALL staff Dos and Donts– (Everyone) Be a gatekeeper of corporate information assets
• Encrypt sensitive data• Backup data to company server• Report security incidents to management
– Do NOT risk corporate information assets• Do not open unsolicited attachments• Do not visit unsolicited websites• Do not take sensitive data out of office• Do not use pirate software or install software on corporate PC
Continuous awareness education– Send staff to security seminars
Page 51
Be Prepared for Problems
LAST BUT NOT THE LEAST Incident Response
– It is about preparedness
– It is about planning
– It is NOT just about instant reaction
Who should we report to?What immediate action should we take?What is the priority of actions?
Q & AQ & A
Website: www.hkcert.orgHotline: 81056060Email: [email protected]