1. 1
Keeping Hackers
Out of Your Organisation….
By Being Hacked!
Martin Overton, EMEA ERS Lead and Senior
Security Consultant, Cyber Security Intelligence and
Response Team (CSIRT)
3. 3
Number of vulnerabilities increase radically with emergence
of new business models and technologies.
Mobility
Employees,
customers,
contractors,
outsourcers
Bring your
own IT
Social business
Cloud and virtualization
1 trillion connected
objects (cars,
appliances, cameras)
30 billion RFID1
tags (products,
passports,
buildings and
animals)
1 billion
workers will
be remote
or mobile
1 billion mobile
Internet users
30 percent
growth of 3G
devices33 percent of all new business
software spending will be
Software as a Service
Source: IBM X-Force® Trend Report, 2011
Exponentially growing and interconnected
digital universe
Adopting new business models and
embracing new technologies
4. 4
Motivation and Sophistication is Evolving Rapidly
Attackers
have more
resources
Off-the-shelf tools
are available for
sale
They will keep
trying until
they get in
5. 5
The new security landscape
Sophisticated attackers are a primary concern
Threat Profile Type
Share
of Incidents
Attack Type
Advanced
threat /
mercenary
National
governments
Terrorist cells
Crime Cartels
23%
Espionage
Intellectual property theft
Systems disruption
Financial Crime
Malicious
Insiders
Employees
Contractors
Outsourcers
15%
Financial Crime
Intellectual Property Theft
Unauthorized Access/
Hacktivist Social Activists 7%
Systems disruption
Web defacement
Information Disclosure
Opportunist
Worm and virus
writers
“Script Kiddies”
49%
Malware propagation
Unauthorized Access
Web defacement
PotentialImpact
Source: Government Accountability Office, Department of Homeland Security's Role in Critical Infrastructure
Protection Cybersecurity, GAO-05-434; IBM CyberSecurity Intelligence & Response Team, September 2012
6. 6
2,641,350
The Average Company Faces Per Week
Security Attacks
1. Health & Social Services
2. Transportation
3. Hospitality
4. Finance & Insurance
5. Manufacturing
6. Real Estate
7. Mining, Oil & Gas
Top 7 Most ATTACKED Industries
62Security Incidents
The Average Company
Experiences Per Week
1. End user didn’t think before clicking
2. Weak password / default password in use
3. Insecure configuration
4. Use of legacy hardware or software
5. Lack of basic network security protection or
segmentation
Top 5 reasons WHY attacks were possible
Did you know...
Malicious Code
Sustained Probe or Scan
Unauthorized Access
Low-and-Slow Attack
Access/Credentials Abuse
Denial of Service
What IBM Sees
Categories of Attack
7. 7
1. Double-clicking “on anything”
2. Disabling endpoint security settings
3. Using vulnerable, legacy software
and hardware
4. Failing to install security patches
5. Failing to install anti-virus
6. Failing to report lost/stolen device
7. Connecting endpoint to a network
from an insecure access point (i.e.,
Starbucks)
8. Using a second access point (i.e.,
AirCard) creating a bypass
9. Using weak/default passwords
and/or using business passwords for
personal use
10. Giving passwords over the phone
Top Reasons WHY Compromises Occur
end users/endpoints
1. Connecting systems/virtual images to the
Internet before hardening them
2. Connecting test systems to the Internet with
default accounts/passwords
3. Failing to update or patch
systems/applications on a timely basis.
4. Failing to implement or update virus detection
software
5. Using legacy/EOLed software and hardware
6. Running unnecessary services
7. Using insecure back end management
software
8. Failing to remove old or unused accounts end
user accounts.
9. Implementing firewalls with rules that don't
stop malicious or dangerous traffic-incoming
or outgoing.
10. Failing to segment network and/or adequately
monitor/block malicious traffic with IDS/IPS
infrastructure
80-90% of all security incidents
can be easily avoided!
9. 9
Network Hacked Step 1!
Initial
compromise
was via a
default
Apache
Tomcat
manager user
id and
password…
10. 10
Network Hacked Step 2!
We then uploaded a
special WAR file to
allow us to gain a
remote shell
access….
11. 11
Network Hacked Step 3!
Using this we dumped password hashes from the
system and created a user account which we then
added to the local Administrator group….
15. 15
What Does The Previous Slide Mean?
It means we have Domain Admin on the network.
This means we now can access ANY system in the Domain.
This means we can see ALL data on all systems in the Domain.
In other words, we now own the network.
We will tell you and do no harm, the bad guys work to other agendas!
16. 16
Solution components:
IBM penetration testing to
identity and help correct
exposure to the Internet
Business challenge:
Concerned about real hackers external attacks, they wanted to test exactly
their systems and their monitoring and response infrastructure against a
real hacker attacking from the internet
Solution:
IBM discovered a critical vuln in one of the extensions installed on the CMS
powering the public extranet.
By exploiting this vuln, IBM was able to take control over the hosting server,
establish a tunnel (internet->DMZ) and project the attacker machine on the
private DMZ segment. The encrypted tunnel nullified network security
protections like FW and IPS. The hacker could attack any internal service
gaining access to other hosts and sensitive documents/databases.
Solution/Benefits:
IBM provided detailed remediation recommendations to the customer
and they were resolved quickly
Customer Win Story (Penetration Test):
A large French company owning several brands, decided to assess their
systems performing External and Internal penetration testing with IBM.
17. 17
Customer Win Story (Application Test):
A large bank assessed the security risks of internet facing applications
and infrastructure
Business challenge:
– As a part of regular security practice large European bank
engaged IBM to verify security of their internet facing infrastructure
and application.
Solution:
– IBM assessed infrastructure and found SQL injection flaw that
might be used by unauthorized attacker to gain access to sensitive
data
– IBM also found SQL injection flaw in one of the application which
enabled attacker full access to internal data
Benefits:
– IBM worked with the application developers to resolve the issues
– Client re-coded as recommended and then IBM retested: all issues
were confirmed fixed
Vulnerabilities were found
that allowed anybody to
get access to confidential
data
18. 18
So Just How Easy is it to Hack a Web Application (Web Site)?
19. 19
Social Engineering Testing
This includes the following [1]
– Workstation/Laptop Security
– Tailgating
– USB Sticks
– Confidential Data
– Phishing (Email and Web)
– Phishing (Phone)
– Customer Specific Tests
[1] This is pick and mix solution and is often bespoke for the clients specific needs.
20. 20
Definition:- Phishing
The art of using social engineering to encourage the user to divulge
information
The user receives an email directing them to a website which looks
official, but isn’t!
The user is encouraged to enter account details, passwords etc.
However, phishing can also be carried via VoIP, SMS or traditional
Phones or Mobiles.
21. 21
Spear Phishing
Phishing scam targeting a single company or
organisation
– If your users received an email from “H.R.” asking
them to confirm their username/password how many
would?
Attacks have a specific aim - to gain access to your
internal systems
Many so-called APT* or Targeted attacks use this as one
of their main attack vectors.
This is made easier by the vast amount of data most
people give away via social media sites and services…
*Advanced Persistent Threat
22. 22
Phishing (Email and Web)
This fake HSBC email contained a link to the fake HSBC website that was setup
specifically for this test. The fake website was hosted at the following URL:
http://hsbc.banking.services.http01.com/HSBC/
Below is a screenshot of the Phishing email sent to supplied addresses from a fake
HSBC email account HSBC.Alert@post.com :
23. 23
Phishing (Email and Web)
This fake site was complete with a working password box that masked the
input (as in real life) and also asked the victim to install a new SSL Certificate
(really a renamed payload from the USB stick).
24. 24
Phishing (Email and Web)
One of the victims clicked on the link in the bogus email and then
proceeded to supply their “real” business account details.
The two redacted fields (between the | symbols after the 100000 entry)
contained the real HSBC login id and password for the HSBC account for
the victim.
25. 25
Phishing (Phone)
This part of social engineering testing requires phone calls to a pre-agreed
number or numbers and pretend to be from the helpdesk, supplier, or a customer
having problems with their account/service.
The story is agreed with the customer before being used; often this will involve
several stories and attacks from different vectors (customer, support, HR, etc.)
Then there is Vishing and Smishing…
26. 26
Solutions – Penetration Test Methodology
•Security is a Journey, not a
Destination…
•Uses the same techniques and tools as
the Bad Guys and Girls…
•Lots of manual testing using very
specialised skills…
•A very detailed report with findings,
including step by step details on exactly
how we hacked systems or people…
•Report includes a management
summary, full technical findings,
remediation instructions as well as
prioritized recommendations…
27. 27
The Value of Penetration Testing
IBM penetration testing services can
deliver:
– An effective, affordable service that provides a
“hacker’s-eye” view of a client’s security posture
– The identification of security issues before they
are exploited, providing organizations an
opportunity to prevent threats before they can
impact the business
– Access to security experts and
proven best practices and delivers
a detailed action plan with remediation
recommendations
– Assistance in ensuring regulatory compliance
and business continuity
28. 28
Additional Offerings
IBM Penetration Testing Can and Often Does Include:
• Malware Defence Review
• SCADA Penetration Test
• Network Penetration Test
• On-site Penetration Test
• Application Assessment
• Application Code Analysis (web, java, mobile, etc.)
• Social Engineering (“Hacking the Human”)
• Wireless Security Testing
• Emergency Response and Incident Management
29. 29
Team Skills…Beyond Penetration/Application Testing…
Reverse Engineering
Hardware/Firmware Hacking, including rooting and jail-breaking
Knowledge of iOS, Java, Android as well as the usual suspects…
Malware, Exploits and bypassing security technologies
Coding in C, C++, C#, Java (and derivatives), Perl, Python, PHP,
Basic, Assembler, Shell scripting, Pascal, REXX, etc.
30. 30
ERS Hotline
Have an emergency? Call IBM ERS 24x7x365
(US) 1-888-241-9812
(WW) 1-312-212-8034
Best Practices: Ensure you have access to the resources and
tools needed to respond quickly to the inevitable incident
Clients should consider retaining expert security consultants
prior to an incident. This ensures guaranteed access to
resources, knowledge of your environment, and predictable
response times.
As an example, IBM’s Emergency Response Service
Subscription includes:
• Initial one-day workshop for incident planning
• 120 staff hours per year, which can be utilized remotely or on site at
the client’s discretion for emergency response services or
preventative services
We can perform these preemptive incident preparation services at the beginning or any
given time during the subscription:
• Active threat assessment
• Cyber Security Incident Response Program gap assessment
• Incident response training and simulated exercise
• Unlimited emergency declarations
• Two seats on the X-Force Threat Analysis Service
• Quarterly check point, remote support, and update on threat
landscape
31. 31
Customer Win Story (ERS):
An international defence contractor…
Business challenge:
– The FBI contacted the customer to inform them that they had been
hacked and that the attackers were stealing data from them as well
as “bugging” key executives laptops. They also suggested that
they get help in finding and removing the malcode.
Solution:
– IBM identified the new (unknown) malware installed (and how it
was hidden)
– IBM identified how and to which remote systems the data was
being “exfiltrated” to.
Benefits:
– IBM identified the new malware and identified how it installed, what
it did, etc.
– IBM created a “bespoke” detection and removal script for the
customer. This “killed” the malware in memory and then deleted
the malware from the system. It also sent reports of infections
found and cleaned to the security manager.
– Client was delighted with our speed of action and the complete
removal of the malware.
APT was found that
allowed attackers to get
access to confidential data
including weapons
systems code and
blueprints as well as
record executive meetings!
32. 32
What can you do now?
Be aware.
Do security testing (penetration, application, process and
procedures, etc.) for visibility and prioritization for proper risk
management strategy
Be proactive.
Manage against vulnerabilities and carry out log analysis as
well as baseline your “normal” network data flows for real-
time detection and protection against sophisticated attacks
Be prepared.
Have an incident response plan in place to quickly respond
and remediate against a breach, but don’t forget to test it…
When you do suffer a breach (and you will), who are you
going to call?
33. 33
Contact details…..
Martin Overton
Security Consultant, Ethical Hacker, Malware
Specialist, Forensics, etc.
IBM ISS X-Force – EMEA CSIRT
E-Mail: overtonm@uk.ibm.com
Telephone: +44 (0)239 2563442
Mobile: +44 (0)776 4666939
35. 35
Who I am, my background, skills, etc.
My name is Martin Overton and I’m a hacker…
Sun Alliance / Royal and SunAlliance
– Joined 1988
– Commissioning PCs, Strategy (hardware and software)
– Responsible for Malware Research/Prevention (10 years), Ethical Hacker (2.5 years)
Outsourced April 2002
– Joined EMEA IGS Security June 2002 as Malware/Anti-Malware SME
– Moved to MSSD (EMEA) June 2004 to set up EMEA Virus CERT, Member of Global Virus CERT
– Moved to ISS X-Force Professional Security Services April 2008
– Also doing ethical hacking, computer forensics and application assessments as well as malware related work.
– Now the EMEA lead for ERS (but still doing the ethical hacking, etc.)
Other
– Helped set up Independent ISS UK User Group
– WildList reporter, Charter member of AVIEN
– Regular lecturer at University of Warwick (amongst others)
– Lots of published papers and presented at many international conferences, such as CompSec, EICAR and Virus
Bulletin
– 25+ Years of knowledge on malware and related security threats
– 10+ Years of knowledge in ethical hacking, forensics and application testing