TARGETED ATTACKS AND THE SMALL BUSINESS Stephen Ferrero Consultant, Xantrion.

TARGETED ATTACKS AND THE SMALL BUSINESS

Stephen FerreroConsultant, Xantrion

Xantrion• Founded in 2000 by Anne Bisagno and Tom Snyder• Wanted to bring big company IT to small and

midsized organizations• Among the top 50 worldwide MSPs (1)

• 45 person technical team• 70 core clients• 3000 end users supported• 600 servers managed

(1) MSP Mentor worldwide survey results.

Agenda

• The current SMB security paradigm• Why we need to evolve our thinking• Targeted attack methods• The new SMB security paradigm

CURRENT SECURITY PARADIGM

Protect againstOpportunistic Attacks

Attacker

Your Company

Security mindset

“Be more secure than the other guy”

“I’m too small to be a target”

Typical security layers

Hardware Firewall

Antivirus / Antimalware

OS Security Patches

User Rights Assignment

Email Filter Web Filter

Policies, and AwarenessUser

WHY CHANGE?

Targeted Attack

Attacker

Your Company

Small Biz31%

Midsize Biz19%

Large Biz50%

(Symantec, 2013)

Targeted attacks in 2012

More targeted attacks on SMB

• Attackers have more and better resources • SMBs are typically less secure• SMBs make good launch points

TARGETED ATTACK METHODS

Spear Phishing

1• Attacker collects data about

victim perhaps “friends” them on social networking sites

2 •Attacker looks for possible themes to leverage against victim

3 •Attacker crafts highly custom email message with malware laced attachment and sends to victim

4 •Victim opens highly realistic email and launches attachment

Water Hole Attack

1• Attacker collects data about

victim and the kind of websites they visit

2 •Attacker looks for vulnerabilities in these websites

3 •Attacker injects JavaScript or HTML which redirect to a separate site hosting exploit code

4 •Compromised site is waiting for unsuspecting victims

Process of A Typical AttackAttacker delivers custom malware

to victim

Victim opens the attachment, custom malware is installed

Malware phones home and pulls down

additional malware

Attacker establishes multiple re-entry

points

Attacker continues to attempt privilege

escalation and reconnaissance

Attacker achieves goal

and exits

1 2 3

4 5 6

Hardware Firewall

Antivirus / Antimalware

OS Security Patches

User Rights Assignment

Email Filter Web Filter

User

Spear Phishing, Waterholing, etc.

NEW SMB SECURITY PARADIGM

Protect againstTargeted Attacks

Attacker

Your Company

Security mindset

“I have important data and assets to protect”

Assume you are a target

Typical SMB security layers

Hardware Firewall

Antivirus / Antimalware

OS Security Patches

User Rights Assignment

Email Filter Web Filter

Policies, and AwarenessUser

Add more layers• Educate employees• Review hiring and firing policies• Aggressive patching of OS and Apps

• Acrobat, Flash, QuickTime, Java• Get off End of Life software

• Windows XP• Office 2003 End of Support - April, 2014

Hardware Firewall

Antivirus / Antimalware

OS Security Patches

User Rights Assignment

Email Filter Web Filter

Additional security layers

HR and Security Policies

App Security Patches

User

User Awareness and Training

Identify your valuable assets

• Customer Data• Customer Relationships• Intellectual Property• Bank Account Info

Identify your special risks

• Internal threats• Liability• Unmanaged mobile devices• Physical security

Plan your response

Practice secure banking

• Use Two-Factor authentication• Require “Dual-Control” or separation of duties• Require one control be completed on a

dedicated PC• Require out-of-band confirmation from your

bank for large transactions

Protect mobile devices• Be aware of the increase in mobile malware• Stream data to mobile devices instead of

storing it there• Separate personal and work data• Track devices• Have remote-wipe capability• Enforce password policies

Regularly re-evaluate your security

Use the Top 20 security controls as a framework for frequent security policy updates. www.sans.org

Remind users of proper security best practices

QUESTIONS

Referencescybersecurity. (n.d.). In Merriam-Webster’s online dictionary. Retrieved from http://www.Merriam-webster.com/dictionary/cybersecuritySmall and midsize businesses. (n.d.). In Gartner IT Glossary. Retrieved from http://www.gartner.com/it-

glossary/smbs-small-and-midsize-businesses/Symantec Inc. (2013, April). Internet Security Threat Report. Retrieved from http://www.symantec.com/security_response/publications/threatreport.jspVerizon. (2012). Data Breach Investigations Report. Retrieved from http://www.verizonenterprise.com/products/security/dbir/?CMP=DMC- SMB_Z_ZZ_ZZ_Z_TV_N_Z041Mandiant. (2013) M-Trends 2013: Attack the Security Gap. Retrieved from https://www.mandiant.com/resources/m-trends/

Top 10 Threat Actions1. Keylogger / Form-Grabber / Spyware2. Exploitation of default or guessable passwords3. Use of stolen login credentials4. Send data to external site/entity5. Brute force and dictionary attacks6. Backdoor (Allows remote access / control)7. Exploitation of Backdoor or CnC Channel8. Disable or interfere with security controls9. Tampering10. Exploitation of insufficient authentication (no login required)

Advanced Persistent Threats

• Long-term attacks• Focused on large organizations• Organized Crime or State Sponsored