Cybersecurity Concerns for the Roaring 20s

David Trepp, MS/Partner

Fast Facts

2

David TreppPartner, IT Assurance

US Army veteran

MS Geochemistry

Serial tech entrepreneur 30+ years

Personal interests

Rock climbing

Bicycle touring

Information science

Thermodynamics

3

Today’s Presentation

I’m not a futurist

We will not discuss things like

Fusion reactors

Expeditions to Mars

I do track cybersecurity trends though

We will discuss both near and longer term trends

Technical topics will be presented with as little techno-babble as possible

Housekeeping

Questions and comments are encouraged

Feel free to use Q&A to pose questions

4

Content

Brief Review of Threat Sources

Top Cybersecurity Threats of the Roaring 20s

Safe Computing Tips

5

Brief Review of Threat Sources

Threat Sources

7

Threat Sources Examples Motivation/Impact

Hacktivists• (2016) Panama Papers legal document release

• (2019) UK Labor Party DDoS attack

• (2019) German politicians dox’ed

Digital vigilante justice

Foreign Nation-State

Sponsored Entities

• (2010) Stuxnet attack on Iranian uranium centrifuges

• (2016) Democratic National Committee espionage

• (2016) Electrical grid attack on Ukraine’s power grid

• (2017) Equifax data breach affecting145M North

Americans

• (2019) Triton, i.e., Trisis, industrial sabotage malware

attack on Saudi Arabian infrastructure

Espionage

Disruption of critical services

Political influence

Cybercriminals

• (2008) Heartland Payment Systems

• (2011) Sony PlayStation Accounts

• (2012) US Office of Personnel Management

• (2013) Target

• (2014) eBay

• (2016) Uber

• (2019) Capital One, MS O365, Box

Corporate fraud

Credit card fraud

Identity theft

Tax fraud

Extortion

Intellectual property theft

Records tampering

Employees, Vendors

& Contractors

(i.e., insiders)

• (2008) City of SF former employee locked out network

access

• (2008) Former Cox Communications employee shut

down service in three states

• (2013) Edward Snowden leaked classified NSA

information

• (2016) Air Force whistleblower leaked classified data on

election interference

Negligence

Poor training

Retaliation

Extortion

Many Hackers Already Practice Social Isolation

8

Worsening Threat Landscape

Releases of sophisticated, formerly secret hacker’s tools into the public domain are rampant, e.g.

Equation Group

Hacking Team

Criminals and hacktivists have figured out that cyber crime is low risk, high reward, so their numbers are growing

Darkweb “storefronts” provide packaged tools and hackers no longer have to be technically savvy, so their numbers are growing

Foreign nation-state sponsored entities have immense resources at their disposal and they’re now targeting all types of US organizations

The Internet of Things continues to increase the Internet’s attack surface area

New vulnerabilities are being released at a dizzying rate

9

Top Cybersecurity Threats of the Roaring 20s

Cybersecurity Threats in the Roaring ‘20s

Ransomware 2.0

Phishing 2.0

Attacks Against Critical Infrastructure

Expanded Tax Fraud

Defeating Multi-Factor Authentication (MFA or 2FA)

Cloud & Cross-Boundary Attacks

The Drone Wars

AI Aided Deep Fakes

Other Attacks on Truth & Our Confidence in Institutions

Obsolescence of Modern Encryption

11

Ransomware 2.0

Mobile-device enabled Ransomware

Dormant until no one is around

Sunday morning 1am

Not just denial-of-service anymore, also sensitive data releases

No hacking skills required: ransomware as a service

Encrypt your boss’ drive on the way out the door

12

Typical Ransomware Message

13

Ransomware 2.0

1414

Phishing 2.0

Targeted, with prior reconnaissance for:

Name drops

Business-specific subjects

“Trusted” banners and security assurances

Multi-step, email followed by call, text, or email lacking an attachment

Did you receive my important email yesterday?

Taking advantage of current events

Multi-media

Phishing (email)

Vishing (Voice)

Smishing (Text)

15

Phishing 2.0: “I’m From A Trusted Source”

Mobile-device enabled

16

Phishing 2.0: The CEO Needs You…Now!

17

Phishing 2.0: Check Out My Totally Legit Resume

18

Phishing 2.0: The Bank Has Your Back

19

Phishing 2.0: Targeting Tech Firms

20

Phishing 2.0: Targeting CPA Firms

21

Phishing 2.0: Exploiting Current Events

22

Phishing 2.0: Improved Voice and Text Attacks

Emergency

“It’ll cost you $ to get out of this bind, but I’ll accept a gift card”

Routine

“This is a totally non-malicious request for PII or system access”

Customer Service

“I’m from Customer Service at Acme Company, and I saw the negative Google review you posted. Tell me what went wrong then I’ll send you a gift certificate for your trouble (I’ll just need a little PII first).”

23

Phishing 2.0: Exploiting Current Events

24

Phishing 2.0: Attacks Targeting Organizations

Detailed Reconnaissance

Annual Reports

Press Releases

Tech Support Forums

LinkedIn & Lead Sites

Calls to Reception & Others

Sophisticated Scripts

Name Drops

Relevant Topics

Multiple Attack Vectors

Email, text, phone, in person

Significant Impact

Persistence

Escalation

25

Attacks Against Critical Infrastructure

Systems that Provide

Electricity

Water

Sewage

Communications

Etc.

Attacks

Reconnaissance

Find Weaknesses

Lie Dormant

Coordinated Future Attacks

26

Expanded Tax Fraud

Attacking accounting firms

Impersonate clients to harvest sensitive information,

Commandeer accounting firm websites, document portals, and mail systems to impersonate the firms

Attacking individuals who are filing

Target consistent high-earners and file fraudulent returns early, with large refunds

Impersonate accounting firms (see above) to get clients to download fraudulent documents or mobile applications. These attacks can be very effective, as the malicious payloads are often industry-standard remote access tools (which pass muster with anti-virus) or sophisticated mobile banking malware

Attacking firms that distribute key tax documents e.g. W2s & 1099s

Impersonate these firms and send out emails contain fraudulent forms purporting to be legitimate W2s or 1099s, or links to portals to login and access such documents

27

Defeating Multi-Factor Authentication(MFA or 2FA)

Help desk attacks

Convince them to switch the phone #

Backdoor access that doesn’t require MFA

Exchange Web Services (EWS)

Exchange modern encryption

Ask the user for their one-time code

“We’re from the bank’s security department, and there’s been some suspicious activity with your account; but before we go any further, we need you to verify it’s you. Please read me the code you were just sent.”

The code was sent by your legitimate financial institution, who sent it to you because the fraudster just entered your (stolen) username and password. Now the fraudster is calling you to request the MFA one-time code.

SIM card swaps

If your phone suddenly tells you it has “No Service” or provides you an “access code” you weren’t anticipating, contact your cell provider right away and ask them if there’s been any activity on your account, e.g. a SIM swap

28

Defeating MFA: Continued

Password Guessing

Hijacking Home/Mobile Devices

Logging all your keystrokes

Viewing your screen

Intercepting cookies/session IDs

Necrobrowser

Modlishka

Impersonating Tech Support to Teleworkers

“IT has me calling everyone to make sure all our company teleworks have the critical new Adobe patch.”

29

Cloud & Cross-Boundary Attacks

Typical Information Systems Have Various Levels of Connectivity with Numerous “Integrated Entities”

Internal Departments & Devices

HR, Finance, Ops, etc.

Shadow IT

BYOD

IoT

Internal (Segmented) Subnets

DMZs

Industrial Control Systems/SCADA

Cardholder Data Environment (CDE)

WiFi Networks

Remote Branches/Offices/Employees30

Cloud & Cross-Boundary Attacks Continued

Typical Information Systems Have Various Levels of Connectivity with Numerous “Integrated Entities”

Vendors

Product/Application Vendors

Support Vendors

Hosting/Cloud Vendors

Government/Industry Agencies

Reporting

Data Sharing Consortiums

Councils of Government

Emergency Response Groups

31

Cross-Boundary Attack Example: Target Breach 2013

HVAC Vendor Identified & Breached

Via Phish

Target Provided Remote Access For Vendors

Billing, Contract Submission, and Project Management

Alleged Attack Steps (After Compromising HVAC Vendor)

Exploit vulnerable (unpatched) php instance in vendor web app “document upload” feature and establish local host admin

Pull NTLM password hashes from LSASS

Exploit “pass-the-hash” for DA account privileges

Use DA privileges to ransack PoS systems & steal 40 million credit cards

Deliver them across the Internet to criminal hosts via DNS exfiltration

Target Network Lacked Sufficient Controls

No multi-factor authentication

Inadequate patch management

Inadequate vendor server segmentation

No Cardholder Data Environment (CDE) segmentation

No SMB (digital) signing controls

Inadequate information flow controls, specifically network egress controls32

Cross-Boundary Target Breach, continued

33

Source: Breaking the Target: An Analysis of Target Data Breach and Lessons Learned

https://arxiv.org/pdf/1701.04940.pdf

The Drone Wars

Drones used for both law enforcement & attackers:

Wifi

War flying

Hi-Res video

Capture phone pin

Upper story office windows

Sensitive audio

Phone purchase credit card #

Movement Habits/Favorites

Spend your $ at the same places you do, so no fraud alerts triggered

Disabling GPS & overcoming geofencing to trespass

Government and research concern34

AI Aided Deep Fakes - Both Audio & Video

35

Other Attacks on Truth & Confidence in Institutions

Nation-state attacks

Voting System Attacks

If machines are unavailable or results are unreliable, our democracy fails

36

Cesspool of unvetted disinformation in media and social

media

Political echo chambers

Loss of mediating effects of local news results in extremism

Anti-Intellectualism

“I don’t believe in science.”

Mike Hughes

Disinformation for Sale

Other Attacks on Truth & Confidence in Institutions

37

Obsolescence of Modern Encryption

The promise of quantum computing:

In traditional computing, a bit has a single value (zero or one)

Quantum bits (qubits) can take on a superposition of both values

Quantum networks could be un-crackable

Quantum computers would be wonderful for solving problems like medical research

Building models of viruses

Quantum computers would also be also render modern encryption algorithms obsolete

Performing trillions of cracking operations per millisecond

Challenges still facing quantum computing

Decoherence

Vibrations, temperature fluctuations, magnetic fields, and even observations destroy qubit properties of quantum computers

Error handling performed with non-binary qubits

In binary math, there are only two possible answers to each operation

A parity bit, which is the 0 or 1 representing the sum of the previous bits in the string, can help reconstruct lost bits

If bit one = 0 and bit two = 0, their sum (or the parity bit) = 0

If bit one = 1 and bit two = 1, their sum (or the parity bit) = 0

If bit one = 1 and bit two = 0, their sum (or the parity bit) = 1

If any single bit gets lost in transmission, the value of the parity bit tells us how to back-calculate the missing bit

38

Safe Computing

Safe Computing Tools & Techniques

Password Management

Use strong passwords

Length is the most important criterion for a strong password

But there must also be substitutions (use a repeatable substitution pattern)

Store them in password vault applications

KeePass, RoboForm

Or at least password protect that Excel file you’re using…

Put up with the hassle of multi-factor authentication

Google Authenticator

Email

Don’t use email for sensitive information!

Many message platforms use end-to-end encryption, e.g. Slack, WhatsApp

Password protect attachments

Sanitize the contents of your inbox, sent, trash, etc.

Use inbound mail filter tools to pre-examine attachments and links

For personal email, see apps like Hushmail

If you must use email for sensitive data, use encryption tools

PGP

Zixmail

40

Safe Computing Tools & Techniques

Browsing

Before logging in, confirm the word immediately preceding the .com, .org, .net, etc. and the .com itself

https://www.chase.com vs. https://www.chase.bank.com

https://www.chase.com vs. https://www.chase.net

Logout when you’re done

Secure your browser settings, e.g.

Firefox with

No-Script (prohibits a startling number of scripts running in the background)

Privacy Badger (restricts ads, cookies, tracking)

Foxy Proxy (hides your point of origin)

Limit sharing & post anonymously, whenever possible

Yelp & Google Review Scams

Be suspicious of all pop-ups & dialog boxes

41

A common

online banking

attack toolkit

asks the user

to install a

malicious root

certificate

Mobile Device Security Considerations

Be an aware mobile device user

Disable or use privacy screens on web cams when not in use

Make sure your phone/speaker/TV is not activated when discussing sensitive information

“Texas” & “Lexus” sound a lot like “Alexa”

“Leery” & “Serious” sound a lot like “Siri”

Practice safe application storefront protocols

Be cognizant of QR code dangers

Inspect all links before clicking

Apply the concept of “Least Functionality” to all mobile devices

Turn off location services, Bluetooth, & Wifi when not in use

Do not use public Wifi if not fully trusted (stick to the LTE network)

42

A Few More Telework Security Considerations Understand your company’s telework policies & procedures

Set up a secure workspace at home

Consider banning phones from sensitive conversation areas or using a specialized camera/mic cover

See Law Enforcement and DoD restrictions on phones in meetings

Consider having different computers/tablets/phones for different uses

One “unsecure” for normal browsing, e.g. news, Facebook, LinkedIn, etc.

One “secure” for sensitive activities only, e.g. work, online banking, 401k/IRA, etc.

Make sure your home Wifi is configured securely

No WEP or WPA1 (WPA 2 or 3 is better)

Use a VPN for communications with office systems

Either company provided, or your own

43

Conclusions

Cybersecurity concerns will evolve in the 2020s

Attacks will become more targeted

Attacks will become more technically sophisticated

New attack methods will continue to appear

Practice Safe Computing Habits

Create long passwords and store them securely

Avoid email for confidential communications

Use MFA whenever possible

Encrypt communications and storage

Browse the web cautiously

Let’s All Be Extra Nice to Each Other!

Thank a farmer, truck diver, clerk, healthcare worker, first responder, et al

Help someone having trouble coping

Be patient with family

44

Recommended Reading

BPM COVID-19 Page bpmcpa.com/COVID-19

NIST Special Publication 800-46: Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-46r2.pdf

Bloomberg Cybersecurity https://www.bloomberg.com/topics/cybersecurity

Krebs on Security https://krebsonsecurity.com/

The Art Of Deception by Kevin Mitnick

Microsoft TechNet password entropy = log(C)/log(2) * L

C = the character set (94) and

L = password length

https://blogs.technet.microsoft.com/msftcam/2015/05/19/password-complexity-versus-password-entropy/

45

Thank You!

bpmcpa.com

Questions or Comments?