In this presentation from his webinar, IoT Security Expert Rob Black, CISSP, Founder and Managing Principal of Fractional CISO, discusses the common thread of many of today's cyberattacks. Key themes covered include:
- Post-mortem analysis of recent cybersecurity attacks and how you could mitigate against similar threats
- Evaluation of password breakdowns in protecting your organization
- Review of a high level threat model of privileged accounts
- How Privilege Access Management can significantly reduce your attack surface and improve your cybersecurity posture
2. Security Ledger
Founded in 2012
An independent voice in information security
Pioneering coverage of:
• Internet of Things and security
• Threats to critical infrastructure
• Healthcare cyber security
• Cybersecurity policy
Blog, podcast, in-person & online events
Subscribe to Security Ledger’s Weekly Ledger.
• Executive-focused email newsletter rounding up the top cyber security stories
of the week.
• Visit securityledger.com/subscribe
• Text the word security to the number 345345 to join
Security Ledger | Box Jump LLC
3. High Level Trends worth noting
o Sophisticated, targeted attacks becoming the norm, rather than
exception
o Adversaries include cyber criminals, nation state actors,
competitors, disgruntled/former employees
o No longer about disruption (think “I love you” virus or “SQL
Slammer”
o Intellectual property theft
o Data theft/ransom
o Destructive wipers
7. A
90%
10%
Key Statistics - 1
81%
of hacking-related breaches
leveraged either stolen and/or
weak passwords.
Verizon 2017 Data Breach Investigations Report
81%
19%
8. 90%
10%
A
65%
35%
B
Key Statistics - 2
11%
of
employees
share
passwords
with co-
workers
5%
share them
with an
outside
party!!!
11%
89%
5%
95%
Ovum market research: Close the password security gap. September 2017
9. 90%
10%
A
65%
35%
B
Key Statistics - 3
34%
of former
employees
access
materials
after leaving
a company.
49%
of IT workers
do it!
34%
66%
49%
51%
Intermedia 2017 Data Vulnerability Report
14. IT Rampage Details
What did he do?
• Surveyed network for 5
months!
• Deleted virtual servers
• Took Storage Area Network
offline
• Deleted mailboxes from
corporate email server
How?
• Added fake VPN user and
token before he left
• Tricked staff into activating it
• Unchanged admin passwords
for five months after firing a
system administrator!
15. Administrative controls
• Checking active employee when
authorizing token
• Audit of authorized VPN users
• Change system passwords after
departure
Technical controls
• Network monitoring
• Privileged Access Management
What could have stopped the attack?
20. IoT Architecture — Smart Water Meters
Smart Meter Base Station Data Center
21.
22. IoT Architecture — Smart Water Meters
Smart Meter Base Station Data Center
X
X
X
23. Not So Smart Meter Details
What did he do?
• Telneted into Base Stations
(from home computer)
• Used known credentials
• Changed RF Frequencies for
Smart Meters, disabling
communication
• Changed code
• Changed at least one password
How?
• Internet accessible critical
infrastructure Telnet enabled
devices
• Unchanged credentials after
firing employee
24. • Every IoT device must have credentials
• In many cases installers use default credentials, share credentials
between devices or know the credentials for each device
• If the installer departs in unfavorable circumstances, there is
significant risk to the organization (and society)
• Ensuring strong credentials for administrative accounts is
paramount to IoT security
IoT Security — Credentials
27. Personally Identifiable Information (PII)
Medical
Financial
SaaS Vendor
Who can login to the database?
• System Administrators
• Tech Support
• Developers
• Contractors
• Former Employees
Database
Test Database
Copy
Application
28. Personally Identifiable Information (PII)
Medical
Financial
Hospital / Education Institution /
Financial Institution
Copy
Who can login to the database?
• System Administrators
• Vendors
• Developers
• Contractors
• Former Employees
Application
Database
Test Database
30. • Cost Per Record: $141 on average per Ponemon Institute 2017 Data Breach
Study
Impact Calculation — Records
Number of Records 10,000 100,000 1,000,000
Impact of Breach $1.41 million $14.1 million $141 million
31. US Government planning cost
of human life
• FDA: $7.9 million
• DOT: $9.6 million
Wrongful death in US
• Settlements: $50,000 – $10 million
• Trials: $0 – $50 million
Injury?
Property damage?
Impact Calculation — Life/Safety
32. • Number of breaches per 10,000 employees: 0.15 annually from VivoSecurity
calculation in How to Measure Anything in Cybersecurity Risk
Likelihood Calculation
Note: This methodology is used for simplifying webinar presentation. When assessing your organization, you
should use a method that is specifically tied to your organization’s risks and the security controls in place to
mitigate those risks.
Number of Employees 1,000 5,000 10,000
Breaches per year 0.015 0.075 0.15
35. 81% of hacking breaches leverage stolen or weak passwords
Assumptions:
• $212,000 annual risk
• 50% of password risk can be reduced with PAM
• Ignores other risks mitigated by PAM
$212K × 81% × 50% = $86K of annual risk can be mitigated with
PAM!
Return on Investment —
Privileged Access Management
36. Handling an organization’s privileged accounts is one of the top vulnerabilities in any
organization’s security posture.
Demonstrate a problem
• “In a recent audit of our servers, we found 3 users with accounts who no longer work here.”
• “We haven’t changed our admin passwords since Frank left last month.”
• “All of our developers have access to all of our production systems.”
Quantify your risk
• What assets are you protecting?
• What are the paths for successful attack?
• What is the likelihood of a successful attack?
How can you get budget for a PAM project?
37. Key Statistics
• 81% of hacking-related breaches leveraged either stolen
and/or weak passwords. Verizon 2017 Data Breach Investigations Report
• 11% of employees share passwords with co-workers and 5%
share them with an outside party!!! Ovum market research: Close the
password security gap. September 2017
• 34% of former employees access materials after leaving a
company. 49% of IT workers do it! Intermedia 2017 Data Vulnerability Report
38. For help quantifying your cybersecurity risk or putting a plan in place
to mitigate the risk, please contact us:
Rob Black, CISSP
Fractional CISO
+1 617.658.3276
Rob@FractionalCISO.com
@IoTSecurityGuy
Next Steps
40. Comprehensive Security Management
► Secure and automate the process for managing privileged account passwords and keys
► Control how people, services, applications and scripts access managed credentials
► Auto-logon users onto RDP, SSH sessions and apps, without revealing the password
► Record all user and administrator activity (with keystrokes) in a comprehensive audit trail
► Alert in real-time as passwords, and keys are released, and session activity is started
► Monitor session activity in real-time, and immediately lock/terminate suspicious activity
► Block & Alert when SSH commands are entered during privileged sessions
Privileged Password Management
People Services A2A
Privileged
Session
Management
SSH Key
Management
41. All actions are indexed and
searchable, along with any
keystrokes recorded.
Clicking on an action will
immediately jump you to that
index point of the recording.
Timestamps may optionally
be displayed, as well as
toggling between showing
keystrokes only, or
keystrokes plus actions.
Privileged Session Recording
42. • Time
• Day
• Date
• Where
• Who
• What
Differentiator: Adaptive Workflow Control
Mobile
Devices
Security
AppliancesDatabases
Operating
Systems
SaaS &
Cloud
Network
DevicesDirectoriesStorageSCADAMainframe
43. Why BeyondTrust? The PAM Industry Leader
Leader: Forrester PIM Wave, 2016 Leader: Gartner Market Guide for PAM, 2017