Data Terrorism

Present day risks, threats, crimes, malicious and erroneous actions affect data in the

manner that terrorism affects lives and can bring down organizations or human beings

19th April 2016, Dubai

Preamble• The talk is about uncommon present day risks /

threats / attacks that use data as a weapon, as hostage or as target and have the potential to disrupt, or close down, a thriving business

• We will take a few moments to discuss essential proactive security business practices and the role of auditors to steer client organizations into the right direction

Context • This is not a techie talk

• My objective is to share knowledge about something where the experts are still searching for solutions and expertise

• And…. to stimulate an additional line of thinking when your “Audit Antenna” starts pinging you

Pyramid Services Portfolio

• Cyber Security & Digital Forensic Services

• Turnkey SOC and Digital Forensic Lab setup

• Forensic Investigation Services

• Security Incident Response and Management

• Managed Security Services

• Digital Fraud Solutions for Document Integrity

• VA/PT and AppSec

• Deception Technology Solution

• Social Media Monitoring and Intelligence

• Threat Intelligence

• Etc….

A B

rie

f In

tr

od

uc

tio

n

Dinesh O BarejaMVP, CISA, CISM, ITIL, ISMS, Cert ERM, Cert IPR

• Principal Advisor – Pyramid Cyber Security & Forensic FZE

• Researcher – Open Security Alliance

• Member IGRC – Bombay Stock Exchange

• Ex Cyber Surveillance Advisor – CDRC (Jharkhand Police – Special Branch)

My Interest Areas…… Enterprise & Government Policy Development; Threat Intelligence; Managed Security; Security Strategy, Design, Architecture; Audit & Optimization; Governance, Risk Management; … and more.

ABOUT ME

Agenda

• Assets

• A Quick Look At Terrorism

• FUD: Fear Uncertainty & Doubt

• Data Terrorism

• Ramsomware

• Business Email Compromise (BEC)

• The Internal Auditor

ASSETSAssets are tangible or intangible and are continuously under the lens of the Internal Auditor – we take another look at what you are looking

What Is The

Most Valuable

Asset In ANY

Organization

What Is The Most Valuable Asset In ANY Organization

• Something you spend countless man hours, days, years of effort to create

• It takes different forms

• Crucial for your survival, happiness, growth …

• Grows on you and you don’t even know it… just like your own physical and mental self

• After a while you do not know what you have –why you have what you have, where it is - why it is there

The MVA is

YOURIP – Patents, Formulae etc

Payroll

Supplier Info

Confidential Reports

Strategic Plans

Acquisition Plans

Accounts

Customer Data

Sales Plans

Cost Sheets

Invoices

Hiring / Firing

Board Meetings

Audit Findings

Data is threatened by all types of risks and is the most valuable asset for any organization today.

A Quick Look at Terrorism

As we have known it

Defining “Terrorism”

someone comes

along tramples all

over, destroys

everything we

hold dear and sets

the clock back into

the dark ages

inconsiderate and brutalisation of life, society and things

Life and all the things

you care about – all

that we have grown

up with to love,

respect, nurture

Terrorist (V.1) Weapons of Choice

The Terrorists As We Know Them – masked, trained, gun carrying killers .. Members of some group

The Digital Terrorist – unknown, self trained, skilled criminal, invisible, untraceble – can be an individual player

Terrorist V.2

Terrorist V.1

The next few slides illustrate scenarios that should be on top of our mind

https://medium.com/@BatBlue/terror-goes-cyber-840046868526#.ohi1kqkvt

Hackers took over the systems, shut down the grid one by one, updated the firmware on devices with malicious patches to render all hardware useless on rebooting

Other Horror Stories

• Aramco

• Qatar Petroleum

• Target

• Office of Personnel Management, USA

• Ashley Madison

Data

Terrorism

Terrorizing data or using data to terrorize you

Terrorism Is

Victim /

Hostage

Weapon

TargetCriminal /

Terorist

Ransom

Data As A Weapon

• Individual’s social network and emails are compromised and…• Email sent from victim’s account to police reporting a

bomb or attack or a hijacking

• Or use the victim’s personal wifi and send emails

• Personal pictures tampered and released in social networks

• Obnoxious / obscene phone calls, messages and emails

• Bombarded with SMSes, phone calls, emails

• Enough to terrorize the victim and drive that individual and family to a mental asylum or commit suicide

Bombarded her with up to 100

threatening phone calls, texts and

Facebook messages a day.

Hacked into Facebook account

Sent lurid messages

Calling her “disgusting” and a “slag”.

Victim

Weapon: DATA

The precise center of the United States is

in northern Kansas, near the Nebraska

border.

Technically, the latitudinal and longitudinal

coordinates of the center spot are 39°50′N

98°35′W.

In digital maps, that number is an ugly one:

39.8333333,-98.585522.

In 2002, MaxMind (a digital mapping

company) was first choosing the default

point on its digital map for the center of

the U.S., it decided to clean up the

measurements and go with a simpler,

nearby latitude and longitude: 38°N 97°W

or 38.0000,-97.0000.

As a result, for the last 14 years,

every time MaxMind’s database has

been queried about the location of

an IP address in the United States it

can’t identify, it has spit out the

default location of a spot two hours

away from the geographic center

of the country.

http://fusion.net/story/287592/internet-mapping-glitch-kansas-farm/

& Then In order to help us keep our sanity intact when one sees everything about life being thrown into the gutter of terrorismGod

Made A Few Idiots

How To Terrorize You With Data

• Ransomware

• Business Email Fraud

• Document Fraud

• Espionage

• Keyloggers

• Backdoors

• Wifi Misuse

• Phishing

• Vishing

• Social Engineering

• Honeytraps

• DNA Manipulation

• Data poisoning

• Deception

• ETC…

All one needs is just a dirty criminal mind

It is one of the most dominant threats faced by business of all sizes.

Management must face reality and the auditor can help highlighting the risk and ensuring proactive controls and action

Oh Yes… We Should be VERY Scared

Symantec Report

How Attacks Are Launched

• Infected Email attachments

• Drive-by Download

• Free software

• Unpatched systems

• Scareware

• Spear Phishing

Generally stay away clicking such file types especially from unknown persons: .exe, .bat, .cmd, .com, .lnk, .pif, .scr, .vb, .vbe, .vbs, .wsh, .jar and .zip.

The Grim Reaper’s assistant just paid you a call

The time you have to arrange and pay the ransom

How To and FAQs better than the best !

In simple words – don’t try to be intelligent. Just follow our instructions and pay up and get your life back

A pharmaceutical company may

have to defreeze its computer data as

hackers have seized control of

computers and network using

malicious 'ransomware' and are

demanding $150k in bitcoins (US

$64.7 millon) to unlock its data

All the files have been encrypted

and we could see it stored in the

system but not access it. The minute

we click on any file, it opens a

decrypt browser, which asks for

money.

If we don't pay the amount they are

threatening to double the amount,"

SMALL BUSINESS, SMALL DEMAND

Hackers demanded $500 businessman to

get access to 500 GB of his company's

data, personal pictures and videos stored in

his laptop, which was locked using

ransomware.

He was not left with a choice but to

format his computer, thereby losing all

the data

This timeline is being shown only to reinforce the fact that this threat has been around for quite some time but we have had our head in the sand

Horror Stories

Symantec Report

Proactive Controls

Practice

Safe Email

Usage

Don’t

Open

Spam

Enable

Email

Security

Test

Your

Backup Awareness

Cyber

Insurance Oversight

Backup,

Backup and

Backup

But … if you have been hit,

then…

Pray your backup

Has not been

compromised too,

and,

It works

If The Backup Works

•Format the hard drive

•Do a thorough scan on the COMPLETE network

•Restore your data

•This is not going to be as easy as anyone has told you!

If The Backup Doesn’t Work

•Isolate the infected systems

•Call in your incident response SWAT team

•Identify the malware family

•Make an image of the drive

•Attempt to decrypt (only on the copy)

•Back off if it is not working (get back to work)

•Negotiate the ransom (start with a 10% offer)

IN EITHER CASE

•Do a forensic analysis of your network to see what came in, when, and why. Follow up the learning with control updates and corrections

•Communicate the issue at the time of discovery to your employees (at all levels) and share the details of the investigation process and progress

•Create an awareness program to be run with all employees in the aftermath of the incident

•Create a sensitization program and plan for periodic delivery to all employees and stakeholders

Will you pay the ransom

Will you get your data back? (really!)

BUSINESS EMAIL COMPROMISE

A simple risk that compromises the integrity of emails being exchanged by you (?) internally or with a supplier or buyer. Leads to loss of money (payment) when the transaction is consummated!

How It Works

• Compromise Vector - phishing, spear phishing using lookalike domain name (another risk called “typosquatting”)

Typosquatting ICICI Bank (39 variants)

- Common extensions (xyzbank-online vs.

xyzbank)

- Similar sounding character combinations

(mispace vs. myspace)

- Missing characters (gmai vs. gmail)

- Missing double characters (leson vs. lesson)

- Extra double characters (yahhoo vs. yahoo)

- Wrong character sequence (IMB vs. IBM)

- Wrong key pressed (fesex vs. fedex)

Typosquatting

12 variants found for Mashreq Bank

• mashreqbankonline.com

• ashreqbank.com

• mshreqbank.com

• mahreqbank.com

• masreqbank.com

• masheqbank.com

• mashrqbank.com

• mashrebank.com

• mashreqbnk.com

• mashreqban.com

• mashrreqbank.com

• masherqbank.com

• 92 other suggestions by an online portal

How It Works

• Compromise Vector - phishing, spear phishing using lookalike domain name (another risk called “typosquatting”)

• Modus Operandi –• Highly targeted and will not alert spam traps• The crooks would have done their due diligence to understand

organization stakeholders, their business, interests, relationships, travel plans, transactions etc

• Place themselves in the middle of an email conversation with supplier/buyer

• Both ends trust the spoofed email address • When the communication carried bank information for a

payment this is changed • Payment goes out to the criminal’s bank and it is siphoned out

without delay

Horror Stories

• A small Exchange Company lost AED 4 m when their emails were intercepted and the fraudsters changed values in excel files carrying transmission instructions

• Small business garment exporter lost $ 0.5 m as his invoice with payment instructions was tampered in transit

• Ubiquiti Networks (q3-2015) reported $ 46.7 m lost in email compromise attack

• The Scoular Co, Omaha (USA) $ 17.2 m – executive wired the amounts to China after receiving instructions via email

Rs 147 cr = US $ 31 million

How To Avoid… Proactive Controls

• Authentication of recipient and sender emails at both ends • Create a trusted email and include this in the contract

• Periodically Frequently audit the emails from and to this account

• Encrypt email communication

• Protect invoices and payment instruction documents with strong passwords (do not send the password in the same email!)

Follow up invoice and payment instructions with a fax or phone calls or courier a hard copy

Purchasing spoofed domain names to reduce the risk of typosquatting

Use Document anti-fraud and anti-tampering solution

Technologies like IRM, email encryption, strong passwords

How To Avoid… Proactive Controls

Consider Cyber Insurance

Standard guidance relating to information security practices (anti malware network scan, awareness

also apply)

But.. If you have been hit..

• Wake up your banker, police, and every concerned department in your government

• Call the cops and lodge a formal compliant

• Activate your country’s Ambassador in the city where the money has been transmitted

• Get him to • catch up with the Chairman and the Managers of the bank where the money has been

transferred

• Report the matter to the local government, friendly minister(s), police, CID…. Army, Navy.. News media, TV … everyone

• Get everyone involved to stop the money from moving ahead in the chain

• Wake up the banker at the other end of the world • tell him/her that stolen money has been deposited into his bank

• find out the status of the funds

• and, if the money is still at his/her bank then get it frozen

• Your IS, IT, incident response team along with Finance, HR etc must be on duty (I hope you have an SOP in place)

• Start investigation by recreating the trail – identify the modus operandi and share with all the above persons

• Good Luck!

The Internal AuditorYou are the trusted advisor and (may) be the one factor that will enable controls to avoid the risk of being faced with either threat, or any other that may be unknown today.

Responsibilities For The New Age Ahead

The Internal Auditor

New Age Responsibility

• The Internal Auditor has oversight over corporate strategy, finance, fraud, operations, compliance, risk…. and more

• Now .. Please add Information Technology… and Data Security

• Technology is all pervasive and the role is increasing in the enterprise

• Present day risks, threats, frauds have their genesis in technology

• As Auditors – we have to understand how things work, why, when, and where!

Where To Start• Risk based approach to all functions that

are being technology enabled

• Become technology enabled personally– understand how things work and why and what makes them work

• Update your vocabulary to learn tech jargon – just so you are not fazed when someone throws a spiel at you to faze you !

• Read Tech news with more interest -every incident that happens elsewhere may be brewing in your backyard

• Enable data classification, backup, topical awareness

Bigger Threats To Be Welcomed

• Internet of Things

• Cloud Computing

• Mobile Computing

• Wearables

• Internet everywhere

• Data Manipulation

• Data Poisoning

TIME TO STEP UP

When did thefuture switch frombeing a promise tobeing a threat?

And my best wishes for you and your clients to be computing safely.

May the force be with you (and not the criminal) !

ABOUT

ME

&CONTACT

INFORMATION

E dinesh@opensecurityalliance.org

@bizsprite

L: linkedin.com/in/dineshbareja

+91.9769890505

dineshobareja

dineshobareja

infosecgallery.blgspot.com

securambling.blogspot.com

Information Security professionalworks hard to be abreast oftechnology, risks, threats,opportunities and looks forward tothe excitement of the future..

A few sources among others

• http://www.slideshare.net/ShahSheikh/national-oil-company-conference-2014-evolving-cyber-security-a-wake-up-call

• http://www.rand.org/blog/2016/04/ransomware-hackers-are-coming-for-your-health-records.html

• http://www.dailymail.co.uk/news/article-2249487/Norwegian-workers-great-delight-scaring-colleague.html

• Google