cyber security risks and mitigation for sme · – mostly on traditional threats (email and web...

Cyber Cyber Security Risks Security Risks and Mitigationand Mitigation for SMEfor SME

SC LeungCISSP CISA CBCP

Who are we?

HKCERT– Established in 2001. Operated by HK Productivity Council– Provide Internet users and SME services (free-of-charge)– Scope of services

• Security Monitor and Early Warning• Incident Report Handling • Publication of Guideline• Public Awareness Education

– www.hkcert.org– Free subscription of alert information via email and mobile (we

pay for the SMS charges)– Hotline: 8105-6060

Security Challenges to Security Challenges to SMEsSMEs

SME

What is SME / SMB?– < 50 employee, or <100 employees in manufacturing (HK definition)

Security Challenge of SME– Lack of resources in general

– IT management: part-time responsibility

– Lack of IT and information security expertise

– Has sensitive data (staff, customer, business proprietary info.)

– Can become easy targets of attack

SME Threat Awareness

Target of attacks– 40%: SME

– 28%: Larger Enterprises

What’s worst that could happen if a small business is attacked? – 54%: loss of productivity

– 36%: theft of proprietary or protected information

– Reference: Symantec 2011 SMB Threat Awareness Poll

• http://www.zdnet.com/blog/small-business-matters/smbs-more-security-savvy-but-dont-see-themselves-as-targets/707

SME Security Focus and Blind Spots

Focus on Threats– Mostly on traditional threats (email and web malware …)– Becoming aware of new threats: social engineering and information theft

Concern on Security Breach– No breach experience concerns short term issues (time and cost to recover)– Had breach experience concerns long term impacts (loss of sales …)

Awareness on New Technology– Aware of opportunities like mobile computing, social media, cloud computing– Few aware of IT security risks associated with them

– Reference: AVG SMB Market Landscape Report 2011 (US & UK)http://www.avg.com.au/files/media/AVG_SMB_Market_Landscape_Report_2011_FINAL.pdf

Attackers and MotivesAttackers and Motives

Attackers and Motives

Kiddies and Early Hackers– Fame, recognition, 2000s

Activists: Hacktivism– Anonymous, Lulzsec groups, 2011

Cyber Warfare– Attack state critical infrastructure

• Stuxnet on Iranian nuclear plant, 2010• USA drone malware, 2011

Business Relevant

Cybercriminals: Money– Theft of information– Extortion– Control machine for other purposes

Unfriendly parties– Disgruntled employees

- loss of reputation via data leakage or scandals

– Business competitors• DoS• Theft of business sensitive information,

patent, forumla

Underground Economy

Sales ranking on underground economy (Source from Symantec)

DDoS rose by 700% in 2011

Worldwide Infrastructure Security Report 2011 (Arbor Networks)– DDoS increases

– Major in ideology (hactivism)

– Flooding attack: average bandwidth 10Gbps, largest 60Gbps

• 74% respondents: target is the customers

– L7 (application layer) DDoS more common

• HTTP > DNS > SMTP > HTTPS

– HTTP Get flood, HTTP Post flood

DDoS Trend

DDoS Trend 2011Source: CloudFlare

DDoS Attack Surge

Cases in Hong Kong– 第一亞洲商人金銀業有限公司 (Feb-2012)

• Motive: extortion

– HK Stock Exchange 披露易 (Aug-2011)

• Motive: Unknown

Two macro trends– Political: attacks aimed at journalists covering human rights

abuses in Angola, bloggers writing about alleged election fraud in Russia, escort sites in Turkey … and sites offering surrogate mother services in China.

– Financial• extortion directed at ecommerce sites with around USD$1

million in monthly revenue

• proceeded by a letter demanding a payment or threatening an attack.

DDoS Attack Defense

Deploy Application Firewall to block application layer (L7) DDoS– Drop traffics not conforming to protocol standard

Prepare for bandwidth adequacy with ISP Provision web service on Cloud (bandwidth $$$) Subscribe web security managed service on cloud (web attack and

small volume DDoS attack) Subscribe to DDoS scrubbing service (more costly)

Reference: – “DDoS Attack and Defense” @HKCERT seminar 2011-10-21

• https://www.hkcert.org/my_url/zh/event/11102101

VulnerabilitiesVulnerabilities

Vulnerabilities

Insecure Configuration defaults – AutoRuns in USB, CDROM …

– WLAN default settings

All software have security holes– Opportunity window between

discovery of Vulnerability and availability of Patch

People can be cheated– “Social Engineering” techniques

– Attackers gain trust from victims

System and System and ApplicationsApplications HumanHuman

Mitigation(Technology /

Awareness)

Threats, Vulnerabilities, Risks, Attacks and Mitigations

Vulnerabilities(System / Human)

Your System /Data

Threats (Attackers + Motives)

Attacks

Your System / Data

Threats (Attackers + Motives)

CompromisedSystem / Data

AttacksRisks

Risks

Case of Mac OS Security

Some people think “We don’t need anti-virus for Mac OS” Is this true?

Flashback Trojan for OS X– Sep 2011, pretended to be Adobe Flash installer– Mar 2012, target Java runtime vulnerability of MAC computers

• Said to have infected 600,000 Mac computers Vulnerability management problem of APPLE

– Flashback targeted a vulnerability of JAVA– Apple does not have patch schedule– Apple late patch for JAVA

• available only in Mar 2012 (but Oracle released patch in Nov 2011)

Conclusion – No system can claim to have no security hole

AttacksAttacks

Attacks tactics

Social Engineering (use human vulnerabilities)– Spoofing, “Jetso”, Fear (& Urgency), Authority

Malware & Botnet

Advanced Man-in-the-Middle attacks

Targeted Attack (mix of social engineering and advanced attacks)

Identity Theft Identity Theft who are you really talking to?who are you really talking to?

Email: spoof sender

Spoof email sender lure to install malware or visit a malicious website user get infected PC controlled, keystroke logged.

– Email protocol (SMTP) is open to spoof

Website: spoof web identity

Spoofed website lure user to input username, password, credential

Malware 2.0

Evade DetectionEvade Detection Command & ControlCommand & Control

Forming a BotnetManage & Update

Malware today causes victim PC becoming part of botnetMalware today causes victim PC becoming part of botnet

Malware Propagation channels

Fake security software Fake video player codec Social network website

redirect

ExecutablesExecutables Document Malware Website


Executables Document Document MalwareMalware

Embedded malware in PDF or Office files Zeus botnet served

PDF malware

Website

Image by Websense


Executables Document Malware WebsiteWebsite

Legitimate and trusted websites compromisedWeb admin incapable

to detect and mitigate the risks

Redirecte

d to Malware

server

Download

Malw

are

Exploits imported from other servers via iframes, redirects When compromised, dropper download and install the actual

bot malware

Multi-stage infection (drive-by download)

Exploit serverWeb server (injected) Malware Hosting

Browser

Web request

Serve Exploit Page

Redirected to

Exploit server

victim victim

Threat: Botnet (roBot Network) is major

Bot Herder

bot bot bot

C&C

Command & Command & Control CentreControl Centre

BotsBots

attacks

Your computers!

Services Manage Update Survive the adverse

Reporting Party (2010/11)

27.84%

44.25%

27.92% local

overseas

proactivediscovery

Attacks are less visible now

– Victim report figure is low.

– Compromise becomes visible when victim machine being used to participate in phishing, malware hosting or other attacks

1. Overseas parties reported incidents to HKCERT

2. HKCERT use proactive discovery methodologies to find out hacked machines in Hong KongHKCERT Incident Reports

Botnet targeting Banks and e-Commerce

Zeus and SpyEye Botnets– steals banking information by Keylogging and Form

Grabbing

– features:

• Take screenshot (save to html without image)

• Fake redirect (redirect to a prepared fake bank webpage)

• HTML inject (hijack the login session and inject new field)

• Log the visiting information of each banking site, record the input string (text or post URL)

Man-in-the-Browser (one kind of man-in-the-middle)

Hackers’ dream: breaking two factor authentication– Intercept transaction- hook major OS

and web browser APIs and proxy data

Rewrite the screen. Trick user to enter credentials.

Change amount and change destination to attacker account

Change the display to user as if his transaction was executed– Calculate the “should be amount”.

Rewrites the remaining total– Store in database in the cloud the

amount transacted in user's perspective

Source: www.cronto.com

Inserting transaction (when login)

Login Trojan kick upshadow login at

the back

Submit

Submit

Shadow Login

“Not successful. Please retry after 1 minute”

PIN + OTP

PIN + OTP2

PIN + OTP

Hacker use OTP2 to authenticate a transaction

Insert a new window

Zeus in the Mobile

ZitMo (reported in Sep-2010)– Zeus ver 2.0, with Man-in-the-Mobile

(MitMo) feature

– Mobile Infection:

• Start from Infected PC visit bank website

• Get user phone # via fake form

• Send a new "digital certificate" to user phone

• User install the “certificate” (malware)

– Sniff the SMS messages when waken up. Forward SMS (OTP) to hacker

2011-July

Mobile Malware

Mobile malware overtaking PC malware (McAfee Threat Report Q3, Q4 2011) Android malware risk factor going high

– Unregulated Android Market

– Rooting app available – install and click a button

– Attackers repackaging those same root exploits with malware

Massive infection 5M machines (Jan 2012)– "Android.Counterclank”, a Trojan packed in 13 apps

• Collect information including bookmarks, handset model

• Modifies the browser's home page, push unwanted ads.

Android Malware– Mostly for-profit SMS-sending Trojans

– Collect personal data for phishing or ID theft

– used in hactivism in Tunisia

Mobile malware samples

Mobile banking – is it secure

Two factor authentication using SMS?– Some banks start to use as the client tool

– Loss of out-of-band communication when using SMS as soft token token device is recommended

Unauthenticated mobile Apps

Hackers ported Zeus botnet to mobile– Zeus: botnet targeting financial institutions

– Man in the Mobile attack (Mitmo)

Are you the next Targeted Attack?

Target businesses, political organizations, NGOs– By hostile party with purpose

– Long term persistent attack: learned and targeted

– Damage: financial, remedial and reputation

Targeted Incidents 2011– Sony, Google, RSA, Diginotar …

Are you the next Targeted Attack?

Phases– Malware infection on target user or group (staff, customer)

• Specific malware (non public) via email, social network sites• Malware keep very low profile, periodically updated to keep long term control

– Collect Intelligence• Learn the names, alias used; tone of communication• Learn the business process, schedule• May combine with physical interaction like phone call, fax, human interactions

– Targeted Activities (use technology / social engineering)• Steal / leak sensitive information• Spoof transaction process

– Use social engineering skills to change transaction flow– Use advanced man-in-the-middle technique to change the transaction flow

• Others, e.g. infiltrate into critical infrastructure and do damage

CountermeasuresCountermeasures

First Thing First -- Data Classification

Classify data– Classification of data according to sensitivity level

Protect data according to sensitivity– Set up data protection policy– Separate storage of sensitive data (different room, cabinet, network and server)

• Do not mix guest Wifi network with office LAN …• Do not mix HR/Finance server with office file server

– Set access control according to role– Prohibit taking sensitive data out of office– Encrypt sensitive data (esp. when taking them out of office)– Backup data (for recovery when necessary), store backup tapes offsite

HKCERT Data Protection Guide– https://www.hkcert.org/my_url/zh/guideline/08092302

Second Thing – Set up Baseline Defense

Install Security Suite (anti-virus, anti-sypware, personal firewall, …)– Turn on Real-time protection– Scan periodically for malware– Update security signatures

Install (personal) firewallUpdate security patches (important!)

– Secunia Personal Software Inspector manage MS and non-MS software

• http://secunia.com/vulnerability_scanning/personal/

Use browser securely

Patching your vulnerabilities

Secunia Personal Software Inspector– Personal Use only

Use Browser Securely

Use newer and secure browsers – (Chrome 16+, FF 9+, IE 9+) has security features: URL blocking,

sandbox, private browsing

– Avoid installing add-ons (extension, activeX objects …) on the browser

Use separate browsers for casual browsing and transactionsBeware of Tabs

– When you login in one tab, other tabs share same cookie/session• http://mysecure.blogspot.com/2011/03/surfing-secure-for-cookiesession.html

Clean browsing historyUse Private Browsing in public kiosk

Browser warning on malicious site

Verify web site identity

SSL (HTTPS) enabled sites provides– Encrypted connections

– Authenticated source

– Remember to log out when done

Chain of Trust

Untrusted root certificate

Root CA certServer Cert

Root CA certIntermediate CA certServer Cert

Example: a public certificate of an online banking web site

Valid Date Expired Certificate

Scan for malware files - VirusTotal

Mobile Malware

Android Malware Vulnerability Database (PolyU research)– http://www4.comp.polyu.edu.hk/~appsec/

Mobile malware analysis website– http://mobile-sandbox.com

Adopt Good Password Practice

Attack on Password– Brute force attack or Insider educated guess

Good Password Rule– Easy to remember AND hard to guess

• Something of personal experience

• Substitute numbers for letters, characters for letters

– Hard to brute force attack

• Length>=8, mix of digit, alphabet (upper & lower case), symbols

– Meets company standards and system requirements

Something personal

I like going for picnics on Sundays

Example of a strong password

i Like Going 4 Picnics at3und4ys

iLG4P@3und4ys

Beware of Data Leakage

Leakage via loss of removable device – USB devices carry a lot of data (8-32GB)

– Encryption is good practice

File Share Leak! Leak!– Do NOT install File Share software like Foxy

– Shared file has no privacy

• Shared data are public on the Internet

• Search engine helps explore the sea of data

• Search engine cached links to data -- takes longer time to clear

Build the Human Firewall

Communicate a simple and clear security policy to all staff– Written Policy on Intranet, notice board– Incident Report channel

Educate ALL staff Dos and Donts– (Everyone) Be a gatekeeper of corporate information assets

• Encrypt sensitive data• Backup data to company server• Report security incidents to management

– Do NOT risk corporate information assets• Do not open unsolicited attachments• Do not visit unsolicited websites• Do not take sensitive data out of office• Do not use pirate software or install software on corporate PC

Continuous awareness education– Send staff to security seminars

Be Prepared for Problems

LAST BUT NOT THE LEAST Incident Response

– It is about preparedness

– It is about planning

– It is NOT just about instant reaction

Who should we report to?What immediate action should we take?What is the priority of actions?

Q & AQ & A

Website: www.hkcert.orgHotline: 81056060Email: [email protected]

cyber security risks and mitigation for sme · – mostly on traditional threats (email and web...

Documents