ACFE Presentation November 4 th , 2009

CDW — Proprietary and Confidential. Copying Restricted. For internal use only.

ACFE PresentationNovember 4th, 2009

By: Mark Lachniet, CDW Security Engineer


About Me► Mark Lachniet, Security Engineer at CDW► Current secretary of the Michigan HTCIA► Licensed Private Investigator in the State of Michigan► Numerous security and technology certifications:► Certified Information Systems Security Professional (CISSP)► Certified Information Systems Auditor (CISA)► GIAC Certified Forensic Analysts Gold (GCFA)► Microsoft MCSE, Novell MCNE, Linux LPIC, CheckPoint, etc.► Previously worked at Analysts International as a Solutions Architect, as an

instructor Walsh College’s MSIA program and as a technician and technology director at Holt Public Schools


Agenda► Discuss a few cases I have seen in the last few months► Discuss current threat landscape► Discuss compensating controls to emerging threats► Discuss a few forensic best practices in fraud examinations► Leave time for Q&A


Recent Case – Financial Fraud► One recent case I’ve worked on deals with a fairly large financial

fraud at a Michigan-based company► One of their computer workstations had been hacked, and the user

of that workstation used it to log into a web banking system to process their regular payroll

► The user was somehow directed away from the official banking web site to a phishing web site

► The web site looked “different” to the user so they contacted the web banking company’s technical support. Their tech support was unable to determine the problem (which in this case was the wrong URL) and told them “it must be an I.T. problem on your end”)

► The user then entered their user ID, password, and code from a two-factor authentication token into the site and did payroll

► The next day they were contacted regarding what appeared to be fraud – their payroll (approximately $700,000) had been hijacked


Recent Case – Financial Fraud► This is especially troubling given the fact that two-factor

authentication was used – these devices use a code that changes every few minutes, giving a very small window of opportunity to exploit

► This implies to me that the criminals either had some very sophisticated software that could “automagically” log into the web banking system, or they had a fully staffed 24/7 NOC with people waiting for events

► The criminals then changed the account numbers that the payroll was going to, and routed sums of approximately $9,000 to a number of different bank accounts ($10,000 is the cut off for OFAC reporting)

► This also implies that the criminals were very well versed in the banking system, because they were smart enough to change all of the ACH numbers very quickly


Recent Case – Financial Fraud► According to at least one report, individuals who were looking

for a job online were offered jobs as “ACH processors” by some shady Internet company

► Their job was to open a bank account, wait for money to be deposited, and then withdraw the money as cash

► They would then use a wire transfer service such as Western Union to wire transfer $4,000 each to a couple different people or accounts overseas, and keep $1,000 for their trouble.

► Thus, the people who were doing the conversion of virtual to physical cash and were assisting in the crime were most likely unknowing dupes

► They, themselves might find their info (SSN, bank number) sold at a later date


Recent Case – Financial Fraud► I was then called in to help with incident response► We began by taking a forensic image of the user’s workstation

using a firewire “write blocker” to preserve the integrity of the data► While that was happening, we worked on analyzing available log

sources (there weren’t any, so we had to configure firewall logging)► We put a stop to all non-essential Internet access while we were

investigating► We also began installing WebRoot Anti-Spyware software on a

number of workstation – this turned up more infected machines► Using a firewall log analysis tool known as Sawmill, we were able

to find other network activity that seemed suspicious (traffic to eastern Europe and Asia) and analyze those workstations for additional malware

► FBI later came in and took an image of the workstation as well


Recent Case – Financial Fraud► We started drafting a list of recommendations to help them improve

their overall security posture, and presented them to senior management, including:» Install WebRoot everywhere» Purchase an intrusion prevention module for the firewall» Implement Websense Internet content filtering» Etc.

► Around this time I began performing a forensic investigation of the image copy of the computer workstation I had taken

► These investigations can be very time consuming, even if all the time is not billable due to the amount of time required to do keyword searches, etc. This one took weeks.

► Knowing the approximate date that machine was last “known good” (e.g. was last rebuilt) I was able to start looking at the computer workstations filesystem history


Recent Case – Financial Fraud

► On the workstation I found six different pieces of malware that WebRoot had identified and removed

► These were put into a quarantine directory, and then “wrapped” with some header information about the identification WebRoot had made

► Aside from these pieces of malware, I manually found another 6 or so pieces of malicious software that their anti-virus or anti-spyware program was unable to find

► I submitted these samples to an online service known as virustotal.com, which ran them through about 30 different AV programs

► While only a portion of the AV programs identified each piece, it helped me identify what they were, and possibly what they did


Recent Case – Financial Fraud► I was able to see at least one source of infection – there was a

malicious Adobe Acrobat PDF file► This file contained exploited the PDF reader program and executed

javascript to download a number of different pieces of malware from a server in Russia (you could see the files being created in rapid succession)

► One of those appeared to be a keylogger, as I found a number of data files that looked like partially encrypted keylog entries

► The PDF file may have come in through e-mail, as there was a remnant of an outlook express file at that time, or may have come through browsing

► Unfortunately, by the time I was making real progress with the case, the client wanted to control costs and asked me to stop investigating


Recent Case – Financial Fraud► At that time, I stopped doing analysis (well, sorta) and documented

what I had found► Wish I could have analyzed the malware to see what it did…..► Presented the document to the customer, and suggested that we give it

to law enforcement (in this case the out of state FBI who were handling the case)

► This project had some interesting “lessons learned”:» Two-factor authentication not as secure as we thought» Criminals are extremely organized and motivated» Organizations not keen on sharing info for fear that it would become a

public record and make them look bad» Organizations only invest in security when they are “burned”» Organizations not really interested in paying to figure out what happened» Antivirus / Anti-Malware / Anti-Spyware can NOT keep up with threats!


Small Targets – The New Trend?» About a month after this event we started hearing about this happening

on a massive scale from the FBI and other sources:

http://voices.washingtonpost.com/securityfix/2009/10/fbi_cyber_gangs_stole_40mi.html?wprss=securityfix

Cyber criminals have stolen at least $40 million from small to mid-sized companies across America in a sophisticated but increasingly common form of online banking fraud, the FBI said this week.

According to the FBI and other fraud experts, the perpetrators have stuck to the same basic tactics in each attack. They steal the victim's online banking credentials with the help of malicious software distributed through spam. The intruders then initiate a series of unauthorized bank transfers out of the company's online account in sub-$10,000 chunks to avoid banks' anti-money-laundering reporting requirements. From there, the funds are sent to so-called "money mules," willing or unwitting individuals recruited over the Internet through work-at-home job scams.


Recent Case – Computer Theft

► In another case that I recently worked on, a local company that deals with medical insurance was broken into, and 8 laptops were stolen

► The customer had camera footage of the criminal – they had exploited a slowly-closing handicap perimeter door to enter the building in the 30 minutes AFTER the end of the business day but BEFORE the security system was enabled

► They then went to an open office area and carried the laptops out► These laptops contained sensitive regulated data (financial and

medical, potentially regulated by GLBA, HIPAA and PCI) and were unencrypted

► Due to this, it might be necessary for them to give notification to their customers or regulators that the data was potentially stolen

► The I.T. manager was immediately fired (as a scapegoat?), presumably for not having had encryption on every machine in the place


Recent Case – Computer Theft► Customer initiated a project to encrypt ALL workstations with

Whole Disk Encryption (which gives you a “safe harbor” type exception so you usually don’t have to report if encrypted machines are stolen”)

► I was brought in to help look at their security and workstation practices

► Created a scaled-back assessment survey that focused specifically on workstations, and the practices, procedures and physical security surrounding them

► Did this survey and a physical walkthrough fo the organization and began documenting recommendations with a “cost” and “gain” metric



► Physical Security:» Slow-closing front doors» Employees not locking offices and workgroup areas» Badge system didn’t require PIN number entry on exterior» Weak physical key management (e.g. master keys)» Power cut-offs could be engaged by anyone» Exterior lights not on 24/7» No motion sensors or window break sensors in building» Hinges on the outside of the door could be broken off to gain entry


Recent Case – Computer Theft► Practices and Procedures:

» Users still saving sensitive data to local workstations, even though told not to

» No data classification and handling system (e.g. to categorize data and detail how each category is created, handled and destroyed for both physical and electronic media)

» No formal system of assigning access rights with badge system and keys (thus no easy way to audit)

» Weak acceptable use policy detailing user responsibilities, practices and requirements



► Technical:» Inadequate patching for non-Microsoft apps such as Acrobat,

Flash, Quicktime, WinZip, etc. making it easy for malware to be introduced

» Shared local admin password on all workstations – if you steal one, you can crack the local admin PW with a rainbow table attack

» No encryption or restriction of media and I/O ports» No regular vulnerability assessments of internal hosts and web

applications» Weak passwords – no complexity required» And many many more….


Recent Case – Computer Theft► Customer response:

» Encrypt ALL hard drives» Hire consultants to do an analysis of their new workstation image

(verify that encryption works, they are not easily “hackable”, verify build procedures, etc.)

» Consider a fuller analysis of other security controls, possibly a “security needs” analysis

► Lessons learned:» People get fired! Often for bad reasons» Security is only a priority when people get burned» Lack of planning (e.g. data classification and handling) and lack of

training are a huge problem


Recent Case – Insecure Web App► Web applications are another major vector of attack for criminals► See my previous technical session on web app security for the ACFE for

technical details► Web applications are tasty targets because:

» Developers tend to be woefully uneducated about security» Development projects are usually under massive time constraints» Requirements definition rarely includes “real” security controls» Quality assurance processes usually do not test security» Many of the most common security tools (Intrusion Prevention Systems,

firewalls, anti-virus, etc.) do not protect against web application attacks such as SQL injection

» Bad web applications are relatively easy to exploit» Successful exploitation leads to full access of all database contents and

possibly even the hosting servers


► As part of a recent external assessment, I came across some vulnerabilities in a web application

► The application was used to host web-based training content► The application was written by a vendor, and purchased by the customer► The application ran on Windows, and used a back-end SQL database for

storage of data (including SSN#’s which were presumably tracked so users could get CPE credits)

► During the assessment, the scanning tool noted that a number of cookies were being set, one of which was something like “IS_Admin=0”

► The tool found no other vulnerabilities on that host► Based on this crumb of information, I started looking at the app

Recent Case – Insecure Web App


► Immediately noticed that encryption (HTTPS) was not used► I started by setting up a security proxy server called Paros, so that I could

see what all of the browser requests and responses were► I then created an account using the self-registration feature, and logged into

the application► When I logged in, I noticed a couple of cookies being set that looked

interesting:

» Set-Cookie: SystemRights=STUDENT_ID=mlachniet; path=/» Set-Cookie: STUDENT_ID=mlachniet; path=/

► This is an example of using client-side variables (e.g. cookie values) in an application, and is not necessarily dangerous

► For example, CNN.COM does something similar to determine which version of CNN to show you (US or International)



► Using client-side scripting such as this has a valid role in web applications – for example validating input before it is submitted to enhance the end user experience

► In a well secure application, however, all security features will be validated on the server side as well as the client side

► For an experiment, I decided to uses my Paros proxy to intercept and change these cookies to the username ‘admin’

» Set-Cookie: SystemRights=STUDENT_ID=admin; path=/» Set-Cookie: STUDENT_ID=admin; path=/

► The server did not complain about this at all (or even notice)► I then went into the “my account” area of the web site, and could see that

indeed I was now logged in as the user admin



► At this point I was logged into the user side of the application as ‘admin’ but I did not have access to the administrative side

► I then noticed on the “my account” page that there was a place to set a new password without knowing the old password

► This was especially convenient because I had no idea what the old password was

► So, I changed the password to something I knew, and then tried to log into the administrative side of the application

► Sure enough it worked, and I had administrator access to the application (which wasn’t particularly interesting anyway)

► The next step was to try to leverage this administrator access to compromise the back-end SQL database and if possible the server running it



► Upon browsing through the options I had as administrator, I found a few interesting pages – one was user information, and the other was system reporting

► I tried to pull up user pages to see if it would reveal the users passwords (it didn’t, it masked them) but it did show me their SSN.

► Looking at the reporting page, I found that it was possible to create custom queries of the database – for example to see all of the users from a specific area code, or that had completed a certain training module

► Using the Paros proxy, I was able to see that the HTML interface was in fact generating SQL query language request to the back-end database



► For example, a query of first name and last name in the HTML interface created a web request of:» GET http://target/Reporting/ReportGenerator/run_report.aspx?

SQL=SELECT+STUDENT_LNAME,STUDENT_FNAME+FROM+tblxxx_xxx''&Title=cdwtest HTTP/1.1

► Being that this was apparently raw SQL, I decided to tryto bypass the HTML interface entirely and submit hand-crafted SQL queries:» GET http://target/Reporting/ReportGenerator/run_report.aspx?

SQL=SELECT+STUDENT_LNAME,STUDENT_FNAME,EMPLOYEE_ID+FROM+tblxxx_xxx+WHERE+EMPLOYEE_ID+<>+''&Title=cdwtest HTTP/1.1

► This then gave me a report of all users in the system with first name, last name and employee ID (which was in this case SSN!)



► Hence with no prior knowledge of the system and a little bit of security logic, I was able to harvest over 1,500 users’ demographic information including name, address, phone number, SSN, etc. in a couple hours - likely enough to steal their identity

► At this point I could get any data out of the database that I wanted (including data in other tables not related to this app)

► The next step was to try to compromise the host operating system using a SQL stored procedure called xp_cmdshell

► xp_cmdshell allows you to run operating system commands as the user account that SQL is logged in as (some kind of admin)

► In this case, the access rights in the database blocked this attack, and I did not take over the SQL server directly

► Given more time and tools to analyze each piece of code, it seems likely that more vulnerabilities would be found



► I informed the customer about what I had found and wrote up a brief report for their technical and compliance people

► The next step will be to inform the vendor► Lessons Learned:

» Regular vulnerability assessments are essential to long-term security» Just because a piece of software is a commercial product does not mean

that it is secure! » Strong technical app development and DBA functions are critical – in this

case the restricted database configuration stopped me from completely compromising the system

» Requiring vendors to prove that they’ve done a third-party audit of their software is a must

» Scanning tools don’t know everything! The host came back as clean from Nessus and might have been totally missed



Michigan Data Breach Notification Law

The New Michigan Data Breach Notification Law

Friday, May 11, 2007ANN ARBOR - The burgeoning laws in Michigan that focus on the protection of consumer data takes another step forward this summer. Effective July 2, a security breach of a database or data that includes personal information, such as the last name linked to a Driver license, social security number, or credit card number, may require the person or agency that owns or licenses that data, to provide a notice of the security breach to each individual whose information was accessed or acquired. (445.72a).A violation of the Act is punishable by a fine of $250 for each failure to provide notice, and the aggregate liability for multiple violations that arise from the same security breach shall not exceed $750,000. The new law stems from an amendment to the current Identity Theft Protection Act that was signed into law by Gov. Granholm on Jan. 3.

http://www.butzel.com/pdf/070511artTECH.pdf


► So far we have three examples – an online economic fraud, a real-life theft fraud (with possible information leak), and a potential information leak

► An information leak has the potential to be just as bad, possibly worse than the other two in terms of overall impact on an organization because:» May require the organization to send out “oops letters” to thousands of

individuals, possibly offer free credit monitoring services» May greatly reduce stakeholder confidence in the organization (from

media coverage, etc.)» May require significant investment in new technologies and staff to run

them as a response to the incident» Could even bring about greater oversight (and cost) from a regulating

agency

The Pain of a Breach


The Pain of a Breach – Examples8 August 2002 Microsoft and FTC Reach Passport Privacy and Security Settlement:A Federal Trade Commission (FTC) investigation found that Microsoft

misrepresented both the level of security provided and amount of data collected by its Passport services. As part of a settlement with the government, Microsoft will refrain from making false claims about the information it collects and will submit to an independent audit of its security program every two years. Microsoft could face fines of $11,000 a day if it fails to comply with the agreement.

ChoicePoint:In January 2006, consumer data provider ChoicePoint Inc. agreed to pay $15

million to settle FTC charges that its security and record-handling procedures violated consumers' privacy rights when thieves breached its database.


The Pain of a Breach – Examples“T.J. Maxx Parent Company Data Theft Is The Worst Ever”The intrusion hands the retailer the dubious honor of surpassing the 40 million

stolen customers record mark, something that only CardSystems had been able to achieve.

TJX later settled Visa's charges against it for $41 million in November 2007, and paid an undisclosed amount to settle a group of lawsuits brought against it by Massachusetts-based banks in December 2007.

The FTC ordered TJX to designate an individual responsible for information security, identify risks to personal data, deploy safeguards to mitigate that risk, work out agreements with service providers that handle customer data, and evaluate and adjust its security program to meet operation changes. In addition, TJX must submit to a third-party audit of its security program every two years for the next two decades.


Other Penalties for Breaches► In addition, there may be other types of damages for failure to maintain good security

and/or alert victims► By law:

» In the State of New York, you can be fined $10 per instance of failed notification not to exceed $150,000

» Many other states have similar fines on the books, and more and more states are passing breach notification laws. See http://www.csoonline.com/article/221322 for an interactive map

» At a federal level, the FTC or SEC may step in► By civil suit:

» Choicepoint: $10 million in civil penalties and $5 million in consumer redress to settle Federal Trade Commission charges

► Disciplinary action:» Lose job or vacation time » An Ohio Department of Administrative Services employee lost a week of vacation as a

disciplinary action


States with Breach Laws► From: http://www.csoonline.com/article/221322► 38 States have them as of February 12, 2008

► Interesting note: In many cases, if the lost data was in an encrypted format, you may not have to make a disclosure due to “safe harbor”


What Happens to that Lost Data???

► A lot of times, nothing – the tape or laptop was lost or stolen, and never heard of again. No direct impact was known (but they still had to report it)

► In some cases, it may be used for identity theft, which is a real problem, but in many cases, it is sold on the black market

► Computer crime is now within the domain of organized crime such as the “Russian Business Network”

► There is an entire community and hierarchy of traffickers


The Lucrative World of Malware and “Bot Herding”

► People are making money! Millions of dollars!► There are entire economies based on computer crime:

» Hackers: Produce new exploits in common software and sell the “0 day” exploits to Bot Herders

» Bot Herders: Use the new exploits to distribute malware to end users. These are used for Denial of Service extortion, spamming, stealing network or PII information, click advertisement abuse, etc. They sell their harvested information to criminals.

» Criminals: Use their obtained credit card and bank account information to perpetuate financial crimes and pay for further development


Symantec Threat Report 2009► Symantec publishes a yearly report that is well worth reading:

http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xiv_04-2009.en-us.pdf

► See also Cisco’s Security report:

http://cisco.com/en/US/prod/vpndevc/annual_security_report.html► Especially note the Symantec executive summary for trends:

“There are a number of trends noted in previous volumes of the Symantec Internet Security Threat Report that continued in 2008: malicious activity has increasingly become Web-based; attackers are targeting end users instead of computers; the online underground economy has consolidated and matured; and attackers are able to rapidly adapt their attack activities”


Symantec Threat Report 2009► How users are being compromised:

“Web-based attacks are now the primary vector for malicious activity over the Internet. The continued growth of the Internet and the number of people increasingly using it for an extensive array of activities presents attackers with a growing range of targets as well as various means to launch malicious activity. Within this activity, Symantec has noted that most Web-based attacks are launched against users who visit legitimate websites that have been compromised by attackers in order to serve malicious content”

► Note a couple things here – it is end users that are the greatest risk, and attacks can even come from legitimate web sites! (usually through banner ads)


Symantec Threat Report 2009

► One very real problem is that there is a proliferation of malware, and Anti-Virus simply cannot keep up with all the new versions


The Value of Information (2008)


The List Not to Be On – dbloss.org► Attrition.org used to maintain a list of “hacked” organizations, but they were

unable to keep up, changed name and did breaches instead► Now they are focusing on data breaches – see: http://datalossdb.org/


The List Not to Be On – dbloss.org


► As we have seen both from recent cases and from the experts, the greatest emergent threat is (and has been) our users

► In the old days, we were worried about people “hacking into” our networks. This is still a problem, but this is also a lot of work for the criminals

► It is much easier to get the malware directly on the computers of users, preferably users who conduct financial transactions

► Malware is often targeted very specifically – for example a specific bank name, or banks in a specific country

► Many workstations are infected with malware that never really activates or fulfills its purpose, especially if the user doesn’t use any financial systems

► So what are users doing, and what are a few ways to mitigate this specific threat

Mitigating End User Infections

CDW — Proprietary and Confidential. Copying Restricted. For internal use only. 43

Stepped Away from Your Computer Without Logging Off or Shutting Down 37%

Left Your Computer on Your Desk Overnight but Logged Off and Shut Down 33%

Carried Corporate Data on Portable Storage Devices Outside the Office 22%

Stored Computer Logins/Password Information on Your Computer at Work 19%

Shared Computer Logins/Password with a Fellow Employee 18%

Thrown Away Corporate Paperwork Instead of Shredding It

18%

Stepped Away from Your Computer Without Using a Security Cable 15%

Left Your Computer on Your Desk Overnight While Still Logged on 12%

Sent Corporate Data to Business Partners via Instant Messenger 11%

Stored Logins/ Password/Account Numbers for Your Personal Financial Accounts on Your Computer

10%

Taken from Cisco Data Leakage Study – September 30, 2008

Written Computer Logins/Password Information Down and Posted Them on Your Monitor or Desk at Work

8%

Written Computer Logins/Password Information Down and Stored Them in an Unlocked Cabinet at Work

7%

Shared Computer Logins/Password with Non-Employee 5%

Left Work Laptop/ PDA in an Insecure Location e.g. Car, Restaurant, Hotel, Etc. 5%

Written Down Logins/Password/Account Numbers for Your Personal Financial Accounts and Posted Them On Your Monitor or Desk at Work

4%

Written Down Logins/Password/Acct Numbers for Your Financial Accts and Store Them in an Unlocked Cabinet at Work

2%

None of the Above 33%

From a Cisco Webinar:

Q: Which of the following have you done in the past?



► Most important of all – END USER TRAINING:

» Be aware of what are (relatively) “safe” sites to visit» Be trained to identify strange happenings (hard drive “thrashing” too

much, mouse moving on its own, programs opening by themselves, etc.)

» Be aware of the risks of social networking sites such as Facebook (especially if you run any of those hokey applications on there)

» Know how to respond to software alerts (e.g. Anti-Virus) and operating system prompts such as User Access Control (UAC)

» Be aware of the risks of remote computing (home systems, coffee shop wireless, kiosks in stadiums, etc.)

» Be aware of internal I.T. security support resources and escalation procedures, and use them when something looks odd



► Have an information classification and handling system:» Identify what you have, and exactly how it must be handled (with an

emphasis on encryption and destruction)► Avoid administrative privileges:

» Do not let users have administrative access to systems unless it is absolutely necessary!

» Simply being logged in as a non-admin user can stop the majority of attacks from succeeding

► Use secure passwords:» As obvious as it sounds, having good passwords is important.» Use a password safe program with encryption rather than a word or

excel file (which can be trivially broken)



► Use workstation security software» Conventional “signature based” antivirus is now largely useless,

and many months behind the curve» Need to use behavioral-based anti-x software that looks at what

software does not what it looks like» Enforce mandatory encryption of hard drives and removable

media such as flash drives» Avoid chains of trust that can be exploited:


System X System Y System Z


Investigate Windows 7► Windows 7 (workstation) and Server 2008 have some good security features

to look into including:► Better (i.e. less annoying) User Access Control prompts (the pop-ups asking

permission to do stuff)► The ability to do more work as a non-administrative user► Group policy ability to block write access to removable media that is not

encrypted► Disable NTLM authentication on the network except over IPSEC connections

(will limit some network credential attacks)► Enforce application white-listing (instead of blocking suspected-bad

programs, only allow known-good applications)► Other stuff…. Talk to a Microsoft tech


► Use network controls

» Content filtering such as Cisco’s Ironport S series or WebSense» Mandatory encryption of network communications (e.g. in e-mail)» Intrusion prevention systems on networks and hosts» Egress filters to limit what internal networks can talk to on the Internet

and other networks» Segregation of networks (e.g. VLANs) with access control» Robust logging and log analysis tools (at a minimum, HTML reports,

better yet a SIM product like Cisco’s MARS or Arcsight)» Secure remote access and wireless» Two factor authentication» And many more….



► Have strong I.T. procedural controls» Executive support exists for I.T. staff» There is a formal I.T. risk management workgroup that conducts

ongoing assessments, tracks findings and remediation, and interfaces with other departments

» Adequate budget for services, capital outlay, FTEs» I.T. staff is well trained and competent in I.T. security» Clear and detailed policies and procedures are in place» Incident response procedures are documented and understood by the

individuals who must use them» Manage the risk of vendors, visitors and third-party network connections» Monitor end user activity» Good software patching systems – especially for third party applications

such as Adobe Acrobat, Flash, Quicktime, Google Taskbar, etc.



Encourage Maturity In Operations► In general, the more organized you are, the better your security will be, the less

likely you are to suffer a breach, and the less expensive I.T. will be to the organization!

► Consider adopting the ITIL standards in areas such as documentation, change control, etc.

► Also formally define your security polices, expectations, procedures (e.g. server hardening, application development, database security, remote access, etc.)

► Consider the Capability Maturity Model – where are you on security?


Fraud Investigation Evidence► Even with all of these controls, there is still the very real possibility

that an incident will still occur► Be ready for an incident by making sure you have the evidence you

need to investigate and prosecute an incident!► Make sure you have logs that are being archived externally (not on the

device generating the logs) for your servers and network devices► Pay attention to logging on databases and third-party applications

(especially financial ones) as these may have poor or no logging by default

► Make sure that you know how your investigation will impact the evidence. Do not randomly “poke around” in the primary evidence source – make a copy of it using a read-only process

► At the same time, be aware of the law – logging some data may be a crime (see wiretap)


Types of Investigation► The first (and perhaps most important) step is discuss the

situation with the victim before doing any work► There are basically three ways that I think about approaching an

investigation:» “Pull the Plug” – don’t touch the machine» “Limited Investigation” – tread lightly» “Extensive Investigation” – heavy footprint

► Each of these approaches have advantages and disadvantages, depending on your goals

► The most important question to ask is how strongly the organization feels about trying to prosecute

► The second most important question to ask is how much disruption to operations can be tolerated

► The third most important questions is how much $$ they have to spend – going after bad guys is expensive!


“Pull the Plug”► Used when a company is VERY intent on prosecution and does

not want to risk any tampering w/ evidence► As the title implies, the only investigation physically performed

on the target system would be to pull the power and network cords

► This is highly disruptive and expensive, as the server is no longer available

► There are also potential immediate results (you might miss evidence that would lead you to investigate other systems, for example)

► There is also no opportunity to examine the “state” of the machine that will be lost when turned off:» Which programs are running» Current network connections


“Limited Investigation”► Used when the company hasn’t decided if they want to

prosecute, and are willing to obtain more information at the risk of having evidence modified

► Is less disruptive and less expensive – the server doesn’t need to be taken down to do the work

► Must analyze the system with tools that leave a very light “footprint” and will not modify much system information

► Any manual analysis is going to change evidence such as:» File (M)odify, (A)ccess, (C)reate date flags on files» System registry settings (for Windows machines)» Temporary files, prefetch caches, logfiles

► Make sure you keep notes on what you did to explain the above ► The goal is to determine what happened without modifying the

system in such a way that we make the evidence (overly) questionable in court


“Extensive Investigation”► Most extensive data-gathering, thus more expensive due to

labor► Still non-disruptive, the server is up and running, although it

may need to be restarted occasionally► Includes all of the work of the previous► After all “light footprint” methods have been tried, a decision

should be made whether to continue with more invasive techniques that will modify the evidence

► For example, it may be possible to do things such as:» Monitor all file accesses on the system in real-time» Monitor and record network traffic» Improve the logging data collected (usually none by default) » Read logs, files, view disk contents» Plant honeypots (password.xls, etc.)


Analyze Other Log Sources► In the networked world, no machine is an island► If systems have been appropriately designed and implemented,

which isn’t that often, there will be useful information in a variety of places

► The investigator must expand the scope from the “victim system” and look elsewhere

► Additional evidence can be found in many places:» Network and security devices on location (firewalls, a/v, ips)» Internet Service Providers (AOL, DSL providers, etc)» Other servers on the network (e-mail, database)» Client workstations (especially if an insider is suspected)» Authentication systems


Some Evidence Locations

Internal Network(Protected Machines)

DMZ Network(Internet Accessible Machines)

The Internet

Bad Person

Good Person

Company Firewall

Exchange e-Mail

ACME Corp Network

Internet Router

Web Server

User Laptop Printer

File Server User Workstation

!!

!!

!

! !

!


Resources► NIST 800-53 – a great set of security guidelines and controls at

http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf

► SANS – excellent technical security training at http://www.sans.org► HTCIA – a good place to learn about computer crime - The High Tech

Crimes Investigators Society at http://www/htcia.org ► OWASP- an excellent resource for best practices on secure (web)

application development http://www.owasp.org ► ISACA – good internal controls training and information security

auditing certification programs at http://www.isaca.org ► ISC(2) – good information security professional certification

programs at http://www.isc2.org ► CDW – a competant company that does penetration testing and

security audits – at http://www.cdw.com


Questions and Comments?

This presentation available upon request

Mark LachnietSecurity Engineer, CDW

[email protected]

(616) 304-3526 (cell - preferred)

(616) 464-5320 (office)

ACFE Presentation November 4 th , 2009

Documents