Jeff Rovelli Director IT Security Knights of Columbus · Jeff Rovelli Director IT Security Knights of Columbus ... Websense • Track access to ... • Antivirus – McAfee, System
Post on 19-Jul-2018
217 Views
Preview:
Transcript
1
1
Jeff RovelliDirector IT Security
Knights of ColumbusJeff.Rovelli@kofc.org
(203) 752-4033
2
IT Security Best Practices• Unprecedented number of data breaches
in 2014 and 2015
• Target, Sony, Home Depot, Anthem, OPM, Scottrade
• Estimated Anthem cost - millions of dollars • 9 months undetected
• New catch phrase… “It is not if, but when”
• This has greatly increased corporate executive awareness
• Increased visibility good for enhancing IT security programs
• How do we engage executives?2
2
3
IT Security Best Practices
• Develop an IT Security Business Plan detailing proposed and future IT Security enhancements.
• Internal and external IT Security review
• Shows executives you have a plan and what areas need improvement
• Develop a Cyber Incident Response Plan
• Conduct table top exercises to test and vet plan
• IT Security reports to Chief Compliance Officer rather than CTO or CIO
• Still work closely with ITS but eliminates conflict of interest 3
4
IT Security Best Practices• Unfortunately there is no silver bullet to
eliminate any chance of a successful attack.
• Weakest link – end users
• Basic IT Security
• Patch and update systems
• Browser/Internet security – McAfee, Websense
• Track access to malicious websites
• Track inappropriate user activity
• Email security – McAfee, Websense, Proofpoint
• Protect PII and other sensitive data
• Block phishing attempts
3
5
IT Security Best Practices• Basic IT Security
• Antivirus – McAfee, System Center Endpoint Protection(SCEP),
• Intrusion Detection System – Trustwave, Dell SecureWorks
• External/Internal Penetration Testing
• BeyondTrust, Rapid 7
• Web Application Testing
• Veracode
• Security Information and Event Management (SIEM) tool
• Collects log information and other security events into a central repository for trend analysis and alerting
5
6
IT Security Best Practices
• Encrypt laptops and other mobile devices
• Privileged user and application review
• Information Security Training
• Written Information Security Policies
• Acceptable use
• Written Information Security Plan (WISP)
• Incident Response Plan
• Cyber Insurance Policy
4
7
IT Security Best Practices• 2015 IT Security Project
• Protect against end user actions and zero day vulnerabilities
• 2015 Project - Desktop/laptop vulnerability to web attacks continues to be a very high risk. This includes user-targeted threats, including spear-phishing, watering hole attacks, drive-by downloads, and ransomware.
• A Desktop Protection Tool creates a secure virtual container, local to the desktop, to wall off and seamlessly run the most highly targeted applications, such as web browsers, PDF files and Microsoft Office files in an isolated environment.
8
Jeff RovelliDirector IT Security
Knights of ColumbusJeff.Rovelli@kofc.org
(203) 752-4033
5
SCCERegional Compliance & Ethics Conference
Investigating Cyber Crime13 Nov 2015
Martin J. McBrideSupervisory Special Agent
FBI - Computer Intrusion Program
Martin J. McBrideSupervisory Special Agent
FBI - Computer Intrusion Program
FBI Priorities
• The FBI focuses on threats that:• Challenge the foundations of American society or • Involve dangers too large or complex for any local or
state authority to handle alone.
• In executing the priorities shown on the next slide, the FBI—as both:• A national security and • A Law enforcement organization
• Will produce and use intelligence to • Protect the nation from threats• Bring to justice those who violate the law
10
6
FBI Priorities
1. Protect the United States from terrorist attack2. Protect the United States against foreign intelligence operations and espionage
3. Protect the United States against cyber-based attacks and high-technology crimes4. Combat public corruption at all levels5. Protect civil rights6. Combat transnational/national criminal organizations and enterprises7. Combat major white-collar crime8. Combat significant violent crime9. Support federal, state, local and international partners10. Upgrade technology to successfully perform the FBI’s mission
11
FBI Cyber Priorities
• The Cyber Program investigates– Computer intrusions targeting the national information
infrastructure• National Security (Nation-state backed intruders)• Criminal
– Internet-facilitated criminal activity• For example, Significant Internet Fraud
– Highly organized– Large dollar amounts (hundreds of thousands)– Large victim population
– Supports FBI priorities across Program lines• Counterterrorism• Counterintelligence• Criminal investigations
12
7
Investigating Cyber Crime
• Objectives• RansomWare• Recognizing the good from the bad• What’s happening in CT today• Investigating internationally• Hop Points
• Why everyone should care about cyber security
• Reaching out to Law Enforcement• Who, what, where, why, when, and how
13
Ransomware
• Malware installed on a computer • Gives the installer the ability to lock a computer
remotely
• The malware often generates • Pop-up window• Webpage• Email warning
• Looks like it comes from an official authority
14
8
Ransomware
• Holds your computer/data hostage until you pay a fee to get it unlocked
• How is it installed?• User
• Opens a malicious email attachment• Clicks a malicious link
• E-mail message• Instant message• Web page
• Visits a malicious website• Social networking sites are big targets now
15
Ransomware
• Defense against ransomware• Maintain software patches and AV protection• Backup your important data and programs
• Recovery• Pay ransom and pray for decrypt code• Restore pre-infection backup
16
9
Internet - Recognizing Bad Things
• Indicators of a Scam• Too good to be true, MOST LIKELY IT IS A SCAM!• Scams come in a variety of flavors:
• unsolicited email messages• online relationships• online advertisements• online job offers• online purchases, auctions, etc.• unsolicited phone calls
• Use of difficult-to-trace money transfer services • Western Union, GreenDot, BitCoin, other uninsured online currencies
• Use of foreign countries in movement of money • Nigeria, Romania, UK, Canada, Ukraine
17
Internet - Recognizing Bad Things
• Older Examples
18
13
Internet - Recognizing Bad Things
25
Internet - Recognizing Bad Things
• Reading e-mail headers• Viewing full headers vs. normal headers• Bottom up is the key
26
14
Internet - Recognizing Bad Things
• Lookup Tools• Whois
• Look up DNS information• Owner of domain names• Owner of IP addresses• Ping• Traceroute• Reverse IP look up
27
Business Email CompromiseScenario 1
• Spoofing e-mail header to establish bona fides– Introduce new player who will conduct the transactions– New player now acts on behalf of your boss
• Transfer money for accounts payable• Account given is owned by scammers
– Money is transferred to scam account• Likely somewhere off shore
28
18
Business Email CompromiseScenario 2
• Similar to Scenario 1 – Began with a telephone call and was – Email follow up spoofing the CEO’s e-mail address– Third person introduced to conduct transactions– Employee was instructed to talk to no one about this
• Project was a “special assignment directly from the CEO”
• Multiple money transfers under $10k were used to “avoid security checks”.
35
Business Email CompromiseScenario 3
• Intercept legitimate e-mail traffic• Register a look-alike domain • Insert yourself into an existing e-mail conversation
– Include previous message thread – It’ll look like a continuous communication
• Change payment information– Divert payment to an account controlled by scammer(s)
36
21
41
Reverse Social Engineering
• Power Company Intrusion– Vulnerable billing system
• Gathered data on target’s customers– Customer Name– Address– Telephone #– E-mail addresses– Account #– Billing information
• Due dates, amounts due, recent payment history, etc.
42
22
Reverse Social Engineering-continued-
• Used caller ID spoofing– Spoofed customer telephone numbers for easier account access– Spoofed power company numbers when calling customers
• Told customers their most recent bill hadn’t been paid and power will have to be shut off if payment isn’t received within 30 minutes– To authenticate the call, they used both
• data acquired from Power Company intrusion• Spoofed caller ID
– Provided two options for making payment within 30 minutes• Go to nearest customer service center (always more than 30
minutes away)• Go to CVS and purchase GreenDot card and provide card info to
make payment
43
Hop Points
• One objective of APT:– To acquire and use Hop Points while remaining
undetected
• Means to avoid raising suspicions based on IP addresses– Hop Points can be geographically near target– Network entry and data exfiltration
• Otherwise non-descript computers can be used to – Facilitate the undetectable theft of trade secrets– Other National Security information
44
23
Cyber National Security
• Show of hands– Who here believes their computer
network could be used to steal secrets from:• U.S. Government?• Government Contractors?
– Proprietary information from Fortune 500 companies?
46
24
US Defense Contractors
Small US Consulting Business
Foreign University
Small US Construction Business
Foreign Web Hosting Service
State-sponsored Cyber Actors
The Big Cases2014 - present
• Target, Home Depot, Sony, Anthem, OPM– Intrusions that compromise enormous amounts
of Personally Identifiable Information• Adversaries use data to identify government and
military personnel• Criminals use data to capitalize it
– Sell data to other criminals– Create fake credit cards for ATM and POS transactions– Use for online purchasing– Steal identities
– Revenge/coercion• Sony, for example
48
25
The Big Cases2014 - present
• Realized harm– Damage to company reputation– Damage to U.S. economy– Consumer distrust of e-commerce
• Usually an uninformed distrust– Point-of-Sale (POS) data compromised rather than
Internet sale data
• If you make yourself a target, you WILL BE COMPROMISED!!!
49
Investigating Internationally
• What to do when the criminals operate exclusively beyond U.S. borders?– Establish global law enforcement
presence• FBI Legal Attaches (LEGAT)
– Global coverage from more than 60 embassies
• Interpol• Mutual Legal Assistance Treaties (MLAT)
50
26
Romanian Phishing Case Study
• Case began in June 2005 when an InfraGard member received a phishing e-mail from Peoples Bank– Member did not have an account with Peoples
Bank and immediately recognized it as phishing
• A spoofed e-mail address and graphical images were created to look like the message was truly from Peoples Bank
• Phishing e-mail contained a link to a phishing web site unwittingly hosted in Minnesota
51
Romanian Phishing Case Study
• Unwitting owner of phishing web site provided copies of files used to produce the web site– From the scripts, it was determined that
phished data was sent to an e-mail collector account, vercarti1@yahoo.com
– Search warrants and subpoenas to Yahoo! and various ISPs revealed a connection to Romania
52
27
Romanian Phishing Case Study
• Investigative assistance provided by Peoples Bank revealed numerous ATM withdrawals made in Romanian cities using phished data
• The LEGAT in Bucharest was brought into the investigation– The LEGAT worked closely with the
Romanian National Police (RNP) in a joint investigation
53
Romanian Phishing Case Study
• Joint international investigation– Allowed informal sharing of information outside
of the burdensome and time-consuming MLAT process
– MLAT process was still necessary for the collection of evidence that would be used against defendants
– Based on search warrants to Yahoo!, Google, and other U.S. ISPs and corroboration of IP addresses and official identification documents by the RNP, more than 20 Romanians were identified as being involved in phishing
54
28
Romanian Phishing Case Study
• Timeline– June 13, 2005 – case begins from e-mail receipt– August 2005 – first of many search warrants issued– January 18, 2007 – seven Romanians indicted in CT– February 2007 – Interpol Red Notices issued– June 6, 2007 – First arrest (OINR) made in Bulgaria
• OINR was transiting Bulgaria for vacation in Turkey– November 8, 2007 – extradition of OINR from Bulgaria– April 17, 2008 – FBI investigative technique in phishing
case helps RNP locate their subject in an eBay fraud case– May 19, 2008 – FBI Los Angeles indicts 33 in similar case
and CT case gets unsealed due to some overlap
55
Romanian Phishing Case Study
• Timeline – continued –– July 22, 2008 – OINR is convicted of phishing charges– January 20, 2009 – PBB arrested in Canada
• Had moved from Romania to Canada during investigation
– March 30, 2009 – OINR sentenced to 50 months in U.S. prison
– July 18, 2009 – CIT arrested in Croatia• Was working on a cruise ship that had docked there
– May 8, 2009 – Secretary of State Clinton signs Protocols of Exchange of Instruments of Ratification for the U.S.-Romania Mutual Legal Assistance Protocol and the U.S.-Romania Extradition Treaty
56
29
Romanian Phishing Case Study
57
Romanian Phishing Case Study
• Timeline – continued –– September 4, 2009 – CIT arrives in CT without
contesting extradition– September 25, 2009 – PBB extradited from Canada– January 14, 2010 – CIT pleads guilty to CAN-SPAM– February 18, 2010 – CIT sentenced to 7 months– August 5, 2010 – PBB pleads guilty to phishing charges– November 10, 2010 – fourteen new indictments– Between December 2011 and November 2013, nine
Romanians were arrested and extradited directly from Romania
58
30
Romanian Phishing Case Study
• Timeline – continued –– December 3, 2012 – NDD pleads guilty at jury selection– December 2012 – BB only defendant to go to trial
• Convicted on both counts charged
– May 15, 2013 – IS arrested in Sweden– June 10, 2013 – BB sentenced to 80 months– June 13, 2013 – NDD sentenced to 78 months– September 12, 2013 – IS extradited to CT– April 23, 2014 – IS pleads guilty– June 17, 2014 – PBB sentenced to 22 months– July 8, 2014 – IS sentenced to 45 months
59
Romanian Phishing Case Study
• Results– 13 Arrests
• 1 Bulgaria, 1 Canada, 1 Croatia, 9 Romania, 1 Sweden• None had ever been to the United States
– 13 Extraditions from 5 different countries– 13 Convictions
• 12 guilty pleas and 1 at trial
– 13 Sentences ranging from 7 – 80 months• Average around 50 months
– First extradition for computer crimes committed by someone who had never been to the U.S.
– First extraditions directly from Romania of Romanian citizens
60
31
Reaching out to Law Enforcement
• Who, what, where, why, when, and how• Who
• KNOW IN ADVANCE WHO YOU WILL CALL!!!• Large Businesses
• FBI, USSS, Postal Inspectors, State Police
• Small Businesses• IC3, State Police, FBI, USSS, Postal Inspectors
• Individuals• IC3 (www.ic3.gov), Local Police, State Police
• Call a known person• Calling publically listed numbers is BAD PLANNING!• Verify at least annually your contact information
61
Reaching out to Law Enforcement
• What• Computer intrusions and Internet-
facilitated criminal activities• Loss or no loss
• National Security investigation• Criminal investigation, if loss is significant• Referral to other resources (e.g. IC3)
• If loss is less significant• Intelligence collection
• Valuable in all cases of mischievous cyber activity
62
32
Reaching out to Law Enforcement
• Where• Agency responsible for
• Location of intrusion• where are the computers?
• Location of Subject• Often not known until deep into investigation
• Company headquarters• If HQ is better equipped to assist with investigation
63
Reaching out to Law Enforcement
• Why– Because the security of the Internet is a
global community concern• All of us need to work together on this• A secure Internet will boost every legitimate
business• A non-secure Internet may knock out some
competition, but the bottom line of the survivors will not reap the benefits that a secure Internet can provide
64
33
Reaching out to Law Enforcement
• When– After the dust settles
• Law enforcement is not equipped to be a first-responder for cyber incidents
• Too many proprietary variables
– Executing business continuity plan is critical– Collect as much information as you can before
calling law enforcement• Once law enforcement becomes involved, restrictions
on gathering evidence may attach• More information will help to determine if an
investigation will be opened and what, if any, public exposure the victim may face
65
Reaching out to Law Enforcement
• How– However you had it planned
• Work day, work hours• Work day, after hours• Weekend• Holiday• POC on vacation
66
top related