Social Engineering and Phishing - SeNet International Corporation

Download Report

Transcript Social Engineering and Phishing - SeNet International Corporation

Social Engineering and Phishing (Fish are not the only things that need to be concerned.)

August 24, 2011

SeNet

Introduction

During the course of this presentation, I will illustrate methods that attackers and others with malicious intent have used to compromise Personally Identifiable Information (PII) and other sensitive data. I will also examine several case studies that show how PII was compromised and how the breach could have been prevented. Finally, I will offer several defense and protection mechanisms.

I am SeNet’s Chief Technology Officer (CTO). Previously, I worked for the security consulting practices of both KPMG and Deloitte and Touche. I have led and performed numerous vulnerability assessments and penetration tests in support of financial audits, FISMA audits, and other compliance-related efforts. I can be reached at 703-206-9383 or [email protected].

© 2011 SeNet International Corp.

2 August 2011

SeNet

About SeNet

SeNet International is a small business founded in 1998 to deliver network and information security consulting services to government and commercial clients.

• • • •

High-End Consulting Services Focus

 Government Certification and Accreditation Support     Network Integration Security Compliance Verification and Validation Security Program Development with Business Case Justifications Complex Security Designs and Optimized Deployments

Proven Solution Delivery Methodology

 Contract Execution Framework for Consistency and Quality  Technical, Management, and Quality Assurance Components

Exceptional Qualifications

 Executive Team – Security Industry Reputation and Active Project Leadership   Expertise with Leading Security Product Vendors, Technologies, and Best Practices Advanced Degrees, Proper Clearances, Standards Organization Memberships, and IT Certifications

Corporate Resources

   Located in Fairfax, Virginia Fully Equipped Security Lab Over 40 Full-time Security Professionals © 2011 SeNet International Corp.

3 August 2011

SeNet

The PII Challenge

Definition

Personally Identifiable Information (PII) is information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual.

Challenges of PII

• Pervasive – traditional and new, non-traditional end points • Highly sensitive and highly coveted • Difficult to do away with © 2011 SeNet International Corp.

4 August 2011

SeNet

Examples of PII Include: • • • • • • • • • • • Full name (if not common) National identification number IP address (in some cases) Vehicle registration/plate number Driver's license number Face, fingerprints, or handwriting Credit card numbers Digital identity Birthday Birthplace Genetic information © 2011 SeNet International Corp.

5

PII Examples

August 2011

SeNet

PII Leakage Paths

PII can “leak out” intentionally and unintentionally in many ways, such as:

• • • • • • • • • E-mail attachments Printouts and faxes Lost tapes, zip drives, and other storage media Lost or stolen laptops Social networking Instant messaging programs File sharing programs Unsecure Web sites Active attacks by bad actors © 2011 SeNet International Corp.

6 August 2011

SeNet

Data Leakage Paths

© 2011 SeNet International Corp.

7 August 2011

SeNet

• • • • • • Phishing (no, it’s not a typo) Social Engineering Cross-site Scripting (XSS) SQL Injection Malware Many others

PII Attack Vectors

© 2011 SeNet International Corp.

8 August 2011

SeNet

Phishing Attacks and Social Engineering

While there are several different attack vectors that could be used to gain unauthorized access to PII, two of the most common are old fashion social engineering and phishing attacks.

© 2011 SeNet International Corp.

9 August 2011

SeNet

What is Social Engineering?

Social engineering is the process of deceiving people into giving away access or confidential information. Wikipedia defines it as the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim.” Many consider social engineering to be the greatest risk to security.

© 2011 SeNet International Corp.

10 August 2011

SeNet

• • • • • • • Hackers Spies or Espionage Identify Thieves Disgruntled Employees Scam Artists Sales Governments

Categories of Social Engineers

© 2011 SeNet International Corp.

11 August 2011

SeNet

Why Social Engineering?

"Because there is no patch for human stupidity“ "People are the largest vulnerability in any network" Path of Least Resistance

A hacker can spend hours, weeks, or months trying to brute force his or her way to a password... when a phone call with the right pretext and perfect questions can identify the same password or more in a few minutes. © 2011 SeNet International Corp.

12 August 2011

SeNet

What is Pretexting?

• • • Pretexting is the act of creating an invented scenario to persuade a targeted victim to release information or perform some action. It is more than just creating a lie; in some cases, it can be creating a whole new identity and then using that identity to manipulate the receipt of information. Pretexting can also be used to impersonate people in certain jobs and roles that they have never performed themselves.

Pretexting is also not a “one size fits all” solution. A social engineer will have to develop many different pretexts over his or her career. All of them will have one thing in common: research. Good information gathering techniques can make or break a good pretext. Being able to mimic the perfect technical support representative is useless if your target does not use outside support. One of the most important aspects of social engineering is trust.

© 2011 SeNet International Corp.

13 August 2011

SeNet

Common SE Attack Vectors

In the world of social engineering, there are numerous attack vectors. Some involve a lot of technology; others contain none at all.

• Customer Service • Tech Support • Marketing • Phone • Delivery Person © 2011 SeNet International Corp.

14 August 2011

SeNet

Phishing vs. Spear Phishing

Phishing – E-mails that typically contain a link to a counterfeit Web site and are designed to look like an authentic login page. They will actually capture personal data for cyber criminals, who will use the data to commit financial fraud.

Spear Phishing

– Targets are identified in advance and the e-mails that attempt to trick them into handing over personal data can be highly specific. They might claim to come from a friend or colleague, or seek to exploit the target’s known interests. © 2011 SeNet International Corp.

15 August 2011

SeNet

Social Engineering Tools

SET – Social Engineering Toolkit (http://www.social-engineer.org/framework/Computer_Based_ Social_Engineering_Tools:_Social_Engineer_Toolkit_(SET)) •

BeEF

– Browser Exploitation Framework (http://www.bindshell.net/tools/beef.html) •

Metasploit

– http://www.metasploit.com/ © 2011 SeNet International Corp.

16 August 2011

SeNet

Demo Time

© 2011 SeNet International Corp.

17

Demo

August 2011

SeNet

APT and PII

APT is not about smashing and grabbing; rather, it is about methodically reaching your objectives, establishing a beachhead within the organization, and exploiting as much of the organization as possible for as long as possible without being detected.

© 2011 SeNet International Corp.

18 August 2011

SeNet

APT and PII (cont’d)

APT is: •

Advanced

– Assumes everything from mundane attack attempts to sophisticated custom crafting of exploits.

Persistent

time.

– Focused on an objective, so this is not just a “drive-by” or “smash-and-grab.” The threat will not go away or move out of legal reach. “Persistent” means trying to maximize exploitation of information over a period of time, sometimes a long period of •

Threat

– Targeting your organization for a specific reason. This takes advantage of human ability and creativity, and is not a bot or worm, although those tools may be employed.

© 2011 SeNet International Corp.

19 August 2011

SeNet

Operation Aurora

• Began in mid-2009 and continued through December 2009. Involved several other companies in addition to Google.

• Google stated that some of its intellectual property had been stolen.

• Attackers were interested in accessing Gmail accounts of Chinese dissidents.

• Attackers had exploited purported zero-day vulnerabilities in Internet Explorer.

© 2011 SeNet International Corp.

20

Case Study 1

August 2011

SeNet

Case Study 1 (cont’d)

• Additional vulnerabilities were found in Perforce, the source code revision software used by Google to manage their source code.

• Once a victim's system was compromised, a back-door connection that masqueraded as an SSL connection made connections to command and control servers.

• The victim's machine then began exploring the protected corporate intranet of which it was a part, searching for other vulnerable systems as well as sources of intellectual property, specifically the contents of source code repositories.

© 2011 SeNet International Corp.

21 August 2011

SeNet

This case study explores an example where data (including PII) in an Oracle database is compromised.

Initially, a scan is conducted to identify Oracle databases.

Case Study 2

© 2011 SeNet International Corp.

22 August 2011

SeNet

Case Study 2 (cont’d)

Weak passwords are not just a problem with Microsoft. This tool can be used to determine whether default Oracle passwords exist.

© 2011 SeNet International Corp.

23 August 2011

SeNet

With the correct credentials obtained, a tool such as DB-Examiner can be used to obtain a graphical view of the database structure.

Case Study 2 (cont’d)

© 2011 SeNet International Corp.

24 August 2011

SeNet

Of course, data is the crown jewel that many attackers are after. In this example, using the compromised account and information about the data structure, a query is executed to view personal data including name, social security number, and salary.

Case Study 2 (cont’d)

© 2011 SeNet International Corp.

25 August 2011

SeNet

• • • • • • Encryption Multi-factor Authentication Strong Access Controls Security Awareness Training End-point Security Data Leakage Prevention

Methods to Protect PII

© 2011 SeNet International Corp.

26 August 2011

SeNet

Social Engineering Protections

• • • • • • • • Education/training Be aware of the information you are releasing.

Determine which of your assets are most valuable to criminals.

Keep your software up to date.

When asked for information, consider whether the person you are talking to deserves the information they are asking about.

Report suspicious activity.

Be skeptical.

Never respond using information contained in the e-mail, particularly links to Web sites.

© 2011 SeNet International Corp.

27 August 2011

SeNet

Conclusions

As can be seen throughout this presentation, there are many different attack vectors that can be used to gain access to your PII or other sensitive information. Often, attackers choose the easiest target, which is why social engineering and phishing are being used more frequently.

While no method can guarantee 100% protection against these types of attacks, by understanding how these attacks work, you can better defend yourself against them.

© 2011 SeNet International Corp.

28 August 2011

SeNet

Questions?

© 2011 SeNet International Corp.

29

Questions

August 2011