cybersecurity concerns for the roaring 20s · 2020-05-30 · tech support forums linkedin &...
TRANSCRIPT
Cybersecurity Concerns for the Roaring 20s
David Trepp, MS/Partner
Fast Facts
2
David TreppPartner, IT Assurance
US Army veteran
MS Geochemistry
Serial tech entrepreneur 30+ years
Personal interests
Rock climbing
Bicycle touring
Information science
Thermodynamics
3
Today’s Presentation
I’m not a futurist
We will not discuss things like
Fusion reactors
Expeditions to Mars
I do track cybersecurity trends though
We will discuss both near and longer term trends
Technical topics will be presented with as little techno-babble as possible
Housekeeping
Questions and comments are encouraged
Feel free to use Q&A to pose questions
4
Content
Brief Review of Threat Sources
Top Cybersecurity Threats of the Roaring 20s
Safe Computing Tips
5
Brief Review of Threat Sources
Threat Sources
7
Threat Sources Examples Motivation/Impact
Hacktivists• (2016) Panama Papers legal document release
• (2019) UK Labor Party DDoS attack
• (2019) German politicians dox’ed
Digital vigilante justice
Foreign Nation-State
Sponsored Entities
• (2010) Stuxnet attack on Iranian uranium centrifuges
• (2016) Democratic National Committee espionage
• (2016) Electrical grid attack on Ukraine’s power grid
• (2017) Equifax data breach affecting145M North
Americans
• (2019) Triton, i.e., Trisis, industrial sabotage malware
attack on Saudi Arabian infrastructure
Espionage
Disruption of critical services
Political influence
Cybercriminals
• (2008) Heartland Payment Systems
• (2011) Sony PlayStation Accounts
• (2012) US Office of Personnel Management
• (2013) Target
• (2014) eBay
• (2016) Uber
• (2019) Capital One, MS O365, Box
Corporate fraud
Credit card fraud
Identity theft
Tax fraud
Extortion
Intellectual property theft
Records tampering
Employees, Vendors
& Contractors
(i.e., insiders)
• (2008) City of SF former employee locked out network
access
• (2008) Former Cox Communications employee shut
down service in three states
• (2013) Edward Snowden leaked classified NSA
information
• (2016) Air Force whistleblower leaked classified data on
election interference
Negligence
Poor training
Retaliation
Extortion
Many Hackers Already Practice Social Isolation
8
Worsening Threat Landscape
Releases of sophisticated, formerly secret hacker’s tools into the public domain are rampant, e.g.
Equation Group
Hacking Team
Criminals and hacktivists have figured out that cyber crime is low risk, high reward, so their numbers are growing
Darkweb “storefronts” provide packaged tools and hackers no longer have to be technically savvy, so their numbers are growing
Foreign nation-state sponsored entities have immense resources at their disposal and they’re now targeting all types of US organizations
The Internet of Things continues to increase the Internet’s attack surface area
New vulnerabilities are being released at a dizzying rate
9
Top Cybersecurity Threats of the Roaring 20s
Cybersecurity Threats in the Roaring ‘20s
Ransomware 2.0
Phishing 2.0
Attacks Against Critical Infrastructure
Expanded Tax Fraud
Defeating Multi-Factor Authentication (MFA or 2FA)
Cloud & Cross-Boundary Attacks
The Drone Wars
AI Aided Deep Fakes
Other Attacks on Truth & Our Confidence in Institutions
Obsolescence of Modern Encryption
11
Ransomware 2.0
Mobile-device enabled Ransomware
Dormant until no one is around
Sunday morning 1am
Not just denial-of-service anymore, also sensitive data releases
No hacking skills required: ransomware as a service
Encrypt your boss’ drive on the way out the door
12
Typical Ransomware Message
13
Ransomware 2.0
1414
Phishing 2.0
Targeted, with prior reconnaissance for:
Name drops
Business-specific subjects
“Trusted” banners and security assurances
Multi-step, email followed by call, text, or email lacking an attachment
Did you receive my important email yesterday?
Taking advantage of current events
Multi-media
Phishing (email)
Vishing (Voice)
Smishing (Text)
15
Phishing 2.0: “I’m From A Trusted Source”
Mobile-device enabled
16
Phishing 2.0: The CEO Needs You…Now!
17
Phishing 2.0: Check Out My Totally Legit Resume
18
Phishing 2.0: The Bank Has Your Back
19
Phishing 2.0: Targeting Tech Firms
20
Phishing 2.0: Targeting CPA Firms
21
Phishing 2.0: Exploiting Current Events
22
Phishing 2.0: Improved Voice and Text Attacks
Emergency
“It’ll cost you $ to get out of this bind, but I’ll accept a gift card”
Routine
“This is a totally non-malicious request for PII or system access”
Customer Service
“I’m from Customer Service at Acme Company, and I saw the negative Google review you posted. Tell me what went wrong then I’ll send you a gift certificate for your trouble (I’ll just need a little PII first).”
23
Phishing 2.0: Exploiting Current Events
24
Phishing 2.0: Attacks Targeting Organizations
Detailed Reconnaissance
Annual Reports
Press Releases
Tech Support Forums
LinkedIn & Lead Sites
Calls to Reception & Others
Sophisticated Scripts
Name Drops
Relevant Topics
Multiple Attack Vectors
Email, text, phone, in person
Significant Impact
Persistence
Escalation
25
Attacks Against Critical Infrastructure
Systems that Provide
Electricity
Water
Sewage
Communications
Etc.
Attacks
Reconnaissance
Find Weaknesses
Lie Dormant
Coordinated Future Attacks
26
Expanded Tax Fraud
Attacking accounting firms
Impersonate clients to harvest sensitive information,
Commandeer accounting firm websites, document portals, and mail systems to impersonate the firms
Attacking individuals who are filing
Target consistent high-earners and file fraudulent returns early, with large refunds
Impersonate accounting firms (see above) to get clients to download fraudulent documents or mobile applications. These attacks can be very effective, as the malicious payloads are often industry-standard remote access tools (which pass muster with anti-virus) or sophisticated mobile banking malware
Attacking firms that distribute key tax documents e.g. W2s & 1099s
Impersonate these firms and send out emails contain fraudulent forms purporting to be legitimate W2s or 1099s, or links to portals to login and access such documents
27
Defeating Multi-Factor Authentication(MFA or 2FA)
Help desk attacks
Convince them to switch the phone #
Backdoor access that doesn’t require MFA
Exchange Web Services (EWS)
Exchange modern encryption
Ask the user for their one-time code
“We’re from the bank’s security department, and there’s been some suspicious activity with your account; but before we go any further, we need you to verify it’s you. Please read me the code you were just sent.”
The code was sent by your legitimate financial institution, who sent it to you because the fraudster just entered your (stolen) username and password. Now the fraudster is calling you to request the MFA one-time code.
SIM card swaps
If your phone suddenly tells you it has “No Service” or provides you an “access code” you weren’t anticipating, contact your cell provider right away and ask them if there’s been any activity on your account, e.g. a SIM swap
28
Defeating MFA: Continued
Password Guessing
Hijacking Home/Mobile Devices
Logging all your keystrokes
Viewing your screen
Intercepting cookies/session IDs
Necrobrowser
Modlishka
Impersonating Tech Support to Teleworkers
“IT has me calling everyone to make sure all our company teleworks have the critical new Adobe patch.”
29
Cloud & Cross-Boundary Attacks
Typical Information Systems Have Various Levels of Connectivity with Numerous “Integrated Entities”
Internal Departments & Devices
HR, Finance, Ops, etc.
Shadow IT
BYOD
IoT
Internal (Segmented) Subnets
DMZs
Industrial Control Systems/SCADA
Cardholder Data Environment (CDE)
WiFi Networks
Remote Branches/Offices/Employees30
Cloud & Cross-Boundary Attacks Continued
Typical Information Systems Have Various Levels of Connectivity with Numerous “Integrated Entities”
Vendors
Product/Application Vendors
Support Vendors
Hosting/Cloud Vendors
Government/Industry Agencies
Reporting
Data Sharing Consortiums
Councils of Government
Emergency Response Groups
31
Cross-Boundary Attack Example: Target Breach 2013
HVAC Vendor Identified & Breached
Via Phish
Target Provided Remote Access For Vendors
Billing, Contract Submission, and Project Management
Alleged Attack Steps (After Compromising HVAC Vendor)
Exploit vulnerable (unpatched) php instance in vendor web app “document upload” feature and establish local host admin
Pull NTLM password hashes from LSASS
Exploit “pass-the-hash” for DA account privileges
Use DA privileges to ransack PoS systems & steal 40 million credit cards
Deliver them across the Internet to criminal hosts via DNS exfiltration
Target Network Lacked Sufficient Controls
No multi-factor authentication
Inadequate patch management
Inadequate vendor server segmentation
No Cardholder Data Environment (CDE) segmentation
No SMB (digital) signing controls
Inadequate information flow controls, specifically network egress controls32
Cross-Boundary Target Breach, continued
33
Source: Breaking the Target: An Analysis of Target Data Breach and Lessons Learned
https://arxiv.org/pdf/1701.04940.pdf
The Drone Wars
Drones used for both law enforcement & attackers:
Wifi
War flying
Hi-Res video
Capture phone pin
Upper story office windows
Sensitive audio
Phone purchase credit card #
Movement Habits/Favorites
Spend your $ at the same places you do, so no fraud alerts triggered
Disabling GPS & overcoming geofencing to trespass
Government and research concern34
AI Aided Deep Fakes - Both Audio & Video
35
Other Attacks on Truth & Confidence in Institutions
Nation-state attacks
Voting System Attacks
If machines are unavailable or results are unreliable, our democracy fails
36
Cesspool of unvetted disinformation in media and social
media
Political echo chambers
Loss of mediating effects of local news results in extremism
Anti-Intellectualism
“I don’t believe in science.”
Mike Hughes
Disinformation for Sale
Other Attacks on Truth & Confidence in Institutions
37
Obsolescence of Modern Encryption
The promise of quantum computing:
In traditional computing, a bit has a single value (zero or one)
Quantum bits (qubits) can take on a superposition of both values
Quantum networks could be un-crackable
Quantum computers would be wonderful for solving problems like medical research
Building models of viruses
Quantum computers would also be also render modern encryption algorithms obsolete
Performing trillions of cracking operations per millisecond
Challenges still facing quantum computing
Decoherence
Vibrations, temperature fluctuations, magnetic fields, and even observations destroy qubit properties of quantum computers
Error handling performed with non-binary qubits
In binary math, there are only two possible answers to each operation
A parity bit, which is the 0 or 1 representing the sum of the previous bits in the string, can help reconstruct lost bits
If bit one = 0 and bit two = 0, their sum (or the parity bit) = 0
If bit one = 1 and bit two = 1, their sum (or the parity bit) = 0
If bit one = 1 and bit two = 0, their sum (or the parity bit) = 1
If any single bit gets lost in transmission, the value of the parity bit tells us how to back-calculate the missing bit
38
Safe Computing
Safe Computing Tools & Techniques
Password Management
Use strong passwords
Length is the most important criterion for a strong password
But there must also be substitutions (use a repeatable substitution pattern)
Store them in password vault applications
KeePass, RoboForm
Or at least password protect that Excel file you’re using…
Put up with the hassle of multi-factor authentication
Google Authenticator
Don’t use email for sensitive information!
Many message platforms use end-to-end encryption, e.g. Slack, WhatsApp
Password protect attachments
Sanitize the contents of your inbox, sent, trash, etc.
Use inbound mail filter tools to pre-examine attachments and links
For personal email, see apps like Hushmail
If you must use email for sensitive data, use encryption tools
PGP
Zixmail
40
Safe Computing Tools & Techniques
Browsing
Before logging in, confirm the word immediately preceding the .com, .org, .net, etc. and the .com itself
https://www.chase.com vs. https://www.chase.bank.com
https://www.chase.com vs. https://www.chase.net
Logout when you’re done
Secure your browser settings, e.g.
Firefox with
No-Script (prohibits a startling number of scripts running in the background)
Privacy Badger (restricts ads, cookies, tracking)
Foxy Proxy (hides your point of origin)
Limit sharing & post anonymously, whenever possible
Yelp & Google Review Scams
Be suspicious of all pop-ups & dialog boxes
41
A common
online banking
attack toolkit
asks the user
to install a
malicious root
certificate
Mobile Device Security Considerations
Be an aware mobile device user
Disable or use privacy screens on web cams when not in use
Make sure your phone/speaker/TV is not activated when discussing sensitive information
“Texas” & “Lexus” sound a lot like “Alexa”
“Leery” & “Serious” sound a lot like “Siri”
Practice safe application storefront protocols
Be cognizant of QR code dangers
Inspect all links before clicking
Apply the concept of “Least Functionality” to all mobile devices
Turn off location services, Bluetooth, & Wifi when not in use
Do not use public Wifi if not fully trusted (stick to the LTE network)
42
A Few More Telework Security Considerations Understand your company’s telework policies & procedures
Set up a secure workspace at home
Consider banning phones from sensitive conversation areas or using a specialized camera/mic cover
See Law Enforcement and DoD restrictions on phones in meetings
Consider having different computers/tablets/phones for different uses
One “unsecure” for normal browsing, e.g. news, Facebook, LinkedIn, etc.
One “secure” for sensitive activities only, e.g. work, online banking, 401k/IRA, etc.
Make sure your home Wifi is configured securely
No WEP or WPA1 (WPA 2 or 3 is better)
Use a VPN for communications with office systems
Either company provided, or your own
43
Conclusions
Cybersecurity concerns will evolve in the 2020s
Attacks will become more targeted
Attacks will become more technically sophisticated
New attack methods will continue to appear
Practice Safe Computing Habits
Create long passwords and store them securely
Avoid email for confidential communications
Use MFA whenever possible
Encrypt communications and storage
Browse the web cautiously
Let’s All Be Extra Nice to Each Other!
Thank a farmer, truck diver, clerk, healthcare worker, first responder, et al
Help someone having trouble coping
Be patient with family
44
Recommended Reading
BPM COVID-19 Page bpmcpa.com/COVID-19
NIST Special Publication 800-46: Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-46r2.pdf
Bloomberg Cybersecurity https://www.bloomberg.com/topics/cybersecurity
Krebs on Security https://krebsonsecurity.com/
The Art Of Deception by Kevin Mitnick
Microsoft TechNet password entropy = log(C)/log(2) * L
C = the character set (94) and
L = password length
https://blogs.technet.microsoft.com/msftcam/2015/05/19/password-complexity-versus-password-entropy/
45
Thank You!
bpmcpa.com
Questions or Comments?