data terrorism - iiauae.org · data terrorism terrorizing data or ... •free software •unpatched...
TRANSCRIPT
Data Terrorism
Present day risks, threats, crimes, malicious and erroneous actions affect data in the
manner that terrorism affects lives and can bring down organizations or human beings
19th April 2016, Dubai
Preamble• The talk is about uncommon present day risks /
threats / attacks that use data as a weapon, as hostage or as target and have the potential to disrupt, or close down, a thriving business
• We will take a few moments to discuss essential proactive security business practices and the role of auditors to steer client organizations into the right direction
Context • This is not a techie talk
• My objective is to share knowledge about something where the experts are still searching for solutions and expertise
• And…. to stimulate an additional line of thinking when your “Audit Antenna” starts pinging you
Pyramid Services Portfolio
• Cyber Security & Digital Forensic Services
• Turnkey SOC and Digital Forensic Lab setup
• Forensic Investigation Services
• Security Incident Response and Management
• Managed Security Services
• Digital Fraud Solutions for Document Integrity
• VA/PT and AppSec
• Deception Technology Solution
• Social Media Monitoring and Intelligence
• Threat Intelligence
• Etc….
A B
rie
f In
tr
od
uc
tio
n
Dinesh O BarejaMVP, CISA, CISM, ITIL, ISMS, Cert ERM, Cert IPR
• Principal Advisor – Pyramid Cyber Security & Forensic FZE
• Researcher – Open Security Alliance
• Member IGRC – Bombay Stock Exchange
• Ex Cyber Surveillance Advisor – CDRC (Jharkhand Police – Special Branch)
My Interest Areas…… Enterprise & Government Policy Development; Threat Intelligence; Managed Security; Security Strategy, Design, Architecture; Audit & Optimization; Governance, Risk Management; … and more.
ABOUT ME
Agenda
• Assets
• A Quick Look At Terrorism
• FUD: Fear Uncertainty & Doubt
• Data Terrorism
• Ramsomware
• Business Email Compromise (BEC)
• The Internal Auditor
ASSETSAssets are tangible or intangible and are continuously under the lens of the Internal Auditor – we take another look at what you are looking
What Is The Most Valuable Asset In ANY Organization
• Something you spend countless man hours, days, years of effort to create
• It takes different forms
• Crucial for your survival, happiness, growth …
• Grows on you and you don’t even know it… just like your own physical and mental self
• After a while you do not know what you have –why you have what you have, where it is - why it is there
The MVA is
YOURIP – Patents, Formulae etc
Payroll
Supplier Info
Confidential Reports
Strategic Plans
Acquisition Plans
Accounts
Customer Data
Sales Plans
Cost Sheets
Invoices
Hiring / Firing
Board Meetings
Audit Findings
Defining “Terrorism”
someone comes
along tramples all
over, destroys
everything we
hold dear and sets
the clock back into
the dark ages
inconsiderate and brutalisation of life, society and things
Life and all the things
you care about – all
that we have grown
up with to love,
respect, nurture
The Terrorists As We Know Them – masked, trained, gun carrying killers .. Members of some group
The Digital Terrorist – unknown, self trained, skilled criminal, invisible, untraceble – can be an individual player
Terrorist V.2
Terrorist V.1
Hackers took over the systems, shut down the grid one by one, updated the firmware on devices with malicious patches to render all hardware useless on rebooting
Other Horror Stories
• Aramco
• Qatar Petroleum
• Target
• Office of Personnel Management, USA
• Ashley Madison
Data As A Weapon
• Individual’s social network and emails are compromised and…• Email sent from victim’s account to police reporting a
bomb or attack or a hijacking
• Or use the victim’s personal wifi and send emails
• Personal pictures tampered and released in social networks
• Obnoxious / obscene phone calls, messages and emails
• Bombarded with SMSes, phone calls, emails
• Enough to terrorize the victim and drive that individual and family to a mental asylum or commit suicide
Bombarded her with up to 100
threatening phone calls, texts and
Facebook messages a day.
Hacked into Facebook account
Sent lurid messages
Calling her “disgusting” and a “slag”.
Victim
Weapon: DATA
The precise center of the United States is
in northern Kansas, near the Nebraska
border.
Technically, the latitudinal and longitudinal
coordinates of the center spot are 39°50′N
98°35′W.
In digital maps, that number is an ugly one:
39.8333333,-98.585522.
In 2002, MaxMind (a digital mapping
company) was first choosing the default
point on its digital map for the center of
the U.S., it decided to clean up the
measurements and go with a simpler,
nearby latitude and longitude: 38°N 97°W
or 38.0000,-97.0000.
As a result, for the last 14 years,
every time MaxMind’s database has
been queried about the location of
an IP address in the United States it
can’t identify, it has spit out the
default location of a spot two hours
away from the geographic center
of the country.
http://fusion.net/story/287592/internet-mapping-glitch-kansas-farm/
& Then In order to help us keep our sanity intact when one sees everything about life being thrown into the gutter of terrorismGod
Made A Few Idiots
How To Terrorize You With Data
• Ransomware
• Business Email Fraud
• Document Fraud
• Espionage
• Keyloggers
• Backdoors
• Wifi Misuse
• Phishing
• Vishing
• Social Engineering
• Honeytraps
• DNA Manipulation
• Data poisoning
• Deception
• ETC…
All one needs is just a dirty criminal mind
It is one of the most dominant threats faced by business of all sizes.
Management must face reality and the auditor can help highlighting the risk and ensuring proactive controls and action
How Attacks Are Launched
• Infected Email attachments
• Drive-by Download
• Free software
• Unpatched systems
• Scareware
• Spear Phishing
Generally stay away clicking such file types especially from unknown persons: .exe, .bat, .cmd, .com, .lnk, .pif, .scr, .vb, .vbe, .vbs, .wsh, .jar and .zip.
The Grim Reaper’s assistant just paid you a call
The time you have to arrange and pay the ransom
How To and FAQs better than the best !
In simple words – don’t try to be intelligent. Just follow our instructions and pay up and get your life back
A pharmaceutical company may
have to defreeze its computer data as
hackers have seized control of
computers and network using
malicious 'ransomware' and are
demanding $150k in bitcoins (US
$64.7 millon) to unlock its data
All the files have been encrypted
and we could see it stored in the
system but not access it. The minute
we click on any file, it opens a
decrypt browser, which asks for
money.
If we don't pay the amount they are
threatening to double the amount,"
SMALL BUSINESS, SMALL DEMAND
Hackers demanded $500 businessman to
get access to 500 GB of his company's
data, personal pictures and videos stored in
his laptop, which was locked using
ransomware.
He was not left with a choice but to
format his computer, thereby losing all
the data
This timeline is being shown only to reinforce the fact that this threat has been around for quite some time but we have had our head in the sand
Proactive Controls
Practice
Safe Email
Usage
Don’t
Open
Spam
Enable
Security
Test
Your
Backup Awareness
Cyber
Insurance Oversight
Backup,
Backup and
Backup
If The Backup Works
•Format the hard drive
•Do a thorough scan on the COMPLETE network
•Restore your data
•This is not going to be as easy as anyone has told you!
If The Backup Doesn’t Work
•Isolate the infected systems
•Call in your incident response SWAT team
•Identify the malware family
•Make an image of the drive
•Attempt to decrypt (only on the copy)
•Back off if it is not working (get back to work)
•Negotiate the ransom (start with a 10% offer)
IN EITHER CASE
•Do a forensic analysis of your network to see what came in, when, and why. Follow up the learning with control updates and corrections
•Communicate the issue at the time of discovery to your employees (at all levels) and share the details of the investigation process and progress
•Create an awareness program to be run with all employees in the aftermath of the incident
•Create a sensitization program and plan for periodic delivery to all employees and stakeholders
BUSINESS EMAIL COMPROMISE
A simple risk that compromises the integrity of emails being exchanged by you (?) internally or with a supplier or buyer. Leads to loss of money (payment) when the transaction is consummated!
How It Works
• Compromise Vector - phishing, spear phishing using lookalike domain name (another risk called “typosquatting”)
- Common extensions (xyzbank-online vs.
xyzbank)
- Similar sounding character combinations
(mispace vs. myspace)
- Missing characters (gmai vs. gmail)
- Missing double characters (leson vs. lesson)
- Extra double characters (yahhoo vs. yahoo)
- Wrong character sequence (IMB vs. IBM)
- Wrong key pressed (fesex vs. fedex)
Typosquatting
12 variants found for Mashreq Bank
• mashreqbankonline.com
• ashreqbank.com
• mshreqbank.com
• mahreqbank.com
• masreqbank.com
• masheqbank.com
• mashrqbank.com
• mashrebank.com
• mashreqbnk.com
• mashreqban.com
• mashrreqbank.com
• masherqbank.com
• 92 other suggestions by an online portal
How It Works
• Compromise Vector - phishing, spear phishing using lookalike domain name (another risk called “typosquatting”)
• Modus Operandi –• Highly targeted and will not alert spam traps• The crooks would have done their due diligence to understand
organization stakeholders, their business, interests, relationships, travel plans, transactions etc
• Place themselves in the middle of an email conversation with supplier/buyer
• Both ends trust the spoofed email address • When the communication carried bank information for a
payment this is changed • Payment goes out to the criminal’s bank and it is siphoned out
without delay
Horror Stories
• A small Exchange Company lost AED 4 m when their emails were intercepted and the fraudsters changed values in excel files carrying transmission instructions
• Small business garment exporter lost $ 0.5 m as his invoice with payment instructions was tampered in transit
• Ubiquiti Networks (q3-2015) reported $ 46.7 m lost in email compromise attack
• The Scoular Co, Omaha (USA) $ 17.2 m – executive wired the amounts to China after receiving instructions via email
How To Avoid… Proactive Controls
• Authentication of recipient and sender emails at both ends • Create a trusted email and include this in the contract
• Periodically Frequently audit the emails from and to this account
• Encrypt email communication
• Protect invoices and payment instruction documents with strong passwords (do not send the password in the same email!)
Follow up invoice and payment instructions with a fax or phone calls or courier a hard copy
Purchasing spoofed domain names to reduce the risk of typosquatting
Use Document anti-fraud and anti-tampering solution
Technologies like IRM, email encryption, strong passwords
How To Avoid… Proactive Controls
Consider Cyber Insurance
Standard guidance relating to information security practices (anti malware network scan, awareness
also apply)
But.. If you have been hit..
• Wake up your banker, police, and every concerned department in your government
• Call the cops and lodge a formal compliant
• Activate your country’s Ambassador in the city where the money has been transmitted
• Get him to • catch up with the Chairman and the Managers of the bank where the money has been
transferred
• Report the matter to the local government, friendly minister(s), police, CID…. Army, Navy.. News media, TV … everyone
• Get everyone involved to stop the money from moving ahead in the chain
• Wake up the banker at the other end of the world • tell him/her that stolen money has been deposited into his bank
• find out the status of the funds
• and, if the money is still at his/her bank then get it frozen
• Your IS, IT, incident response team along with Finance, HR etc must be on duty (I hope you have an SOP in place)
• Start investigation by recreating the trail – identify the modus operandi and share with all the above persons
• Good Luck!
The Internal AuditorYou are the trusted advisor and (may) be the one factor that will enable controls to avoid the risk of being faced with either threat, or any other that may be unknown today.
New Age Responsibility
• The Internal Auditor has oversight over corporate strategy, finance, fraud, operations, compliance, risk…. and more
• Now .. Please add Information Technology… and Data Security
• Technology is all pervasive and the role is increasing in the enterprise
• Present day risks, threats, frauds have their genesis in technology
• As Auditors – we have to understand how things work, why, when, and where!
Where To Start• Risk based approach to all functions that
are being technology enabled
• Become technology enabled personally– understand how things work and why and what makes them work
• Update your vocabulary to learn tech jargon – just so you are not fazed when someone throws a spiel at you to faze you !
• Read Tech news with more interest -every incident that happens elsewhere may be brewing in your backyard
• Enable data classification, backup, topical awareness
Bigger Threats To Be Welcomed
• Internet of Things
• Cloud Computing
• Mobile Computing
• Wearables
• Internet everywhere
• Data Manipulation
• Data Poisoning
And my best wishes for you and your clients to be computing safely.
May the force be with you (and not the criminal) !
ABOUT
ME
&CONTACT
INFORMATION
@bizsprite
L: linkedin.com/in/dineshbareja
+91.9769890505
dineshobareja
dineshobareja
infosecgallery.blgspot.com
securambling.blogspot.com
Information Security professionalworks hard to be abreast oftechnology, risks, threats,opportunities and looks forward tothe excitement of the future..
A few sources among others
• http://www.slideshare.net/ShahSheikh/national-oil-company-conference-2014-evolving-cyber-security-a-wake-up-call
• http://www.rand.org/blog/2016/04/ransomware-hackers-are-coming-for-your-health-records.html
• http://www.dailymail.co.uk/news/article-2249487/Norwegian-workers-great-delight-scaring-colleague.html