The past couple of years have brought along new vulnerabilities, exploits and attack methods, as well as new data privacy requirements such as the GDPR. All of these things require significant changes to any existing processes and tools, but most importantly, to people's awareness. Come down for a quick overview and live demos of some of the current cyber threats, especially as they pertain to social engineering vectors.
ITCamp 2018 - Tudor Damian - The cybersecurity landscape is changing. Are you keeping up?
1. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
The cybersecurity
landscape is changing
Are you keeping up?
Tudor Damian
Managing Partner & CIO @ Avaelgo
3. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Tudor Damian
• Managing Partner & CIO @ Avaelgo
– Offering Peace of Mind as-a-Service
– 50+ people, 5 Microsoft MVPs
– IT Advisory, Cloud Strategy, Managed Services, Security, Training
• Co-founder @ ITCamp & ITCamp Community
– Cloud and Datacenter Management MVP (Microsoft)
– Certified Ethical Hacker (EC-Council)
– Certified Security Professional (CQURE)
• Contact: tudor.damian@avaelgo.ro / @tudydamian / tudy.tel
4. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Session overview
• A cybersecurity primer
• The changing landscape
– Social Engineering
• What’s going on in cybersecurity lately?
– Some of the latest threats, vulnerabilities, exploits and attack
methods
• If the demo gods are with us…
– ARP poisoning
– Credential harvesting
– MFA bypass
6. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Window of Vulnerability - overview
Vulnerability
is discovered
Exploit
released in
the wild
Zero Day
Attacks
Vulnerability
is known by
the vendor
Vulnerability
disclosed
publicly
Security
tools (IDS,
antivirus) get
updated
Patch is
published by
vendor
Existence of
patch is
widely
known
Patch is
installed on
affected
systems
7. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Window of Vulnerability - overview
Vulnerability
is discovered
Exploit
released in
the wild
Zero Day
Attacks
Vulnerability
is known by
the vendor
Vulnerability
disclosed
publicly
Security
tools (IDS,
antivirus) get
updated
Patch is
published by
vendor
Existence of
patch is
widely
known
Patch is
installed on
affected
systems
This could take weeks, or even months
8. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Essential elements of Information Security
• A state of well-being of information and infrastructure
in which the possibility of theft, tampering, and
disruption of information and services is kept at low
or tolerable levels
Confidentiality
• The assurance that the
information is
accessible only to those
authorized to have
access
Integrity
• The trustworthiness of
data or resources in
terms of preventing
improper and
unauthorized changes
Availability
• The assurance that the
systems responsible for
delivering, storing and
processing information
are accessible when
required by the
authorized users
Authenticity
• The characteristic of a
communication,
document or any data
that ensures the quality
of being genuine
Non-repudiation
• A guarantee that the
sender of a message
cannot later deny
having sent the
message and that the
recipient cannot deny
having received the
message
9. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
The underwear study ☺
Source: https://www.kaspersky.com/blog/passwords-are-like-underwear/10645/
10. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Passwords are like underwear…
• …change them often
• …don’t leave them
lying around
• …don’t share them
11. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Would you say that you have more pairs of underpants
(panties, shorts) than passwords?
The underwear study – question 1
12. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Would you say that you have more pairs of underpants
(panties, shorts) than passwords?
The underwear study – question 1
13. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Speaking about your underwear and your passwords,
how often do you change them?
The underwear study – question 2
14. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Speaking about your underwear and your passwords,
how often do you change them?
The underwear study – question 2
15. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Have you ever shared your underwear or password with
a friend or member of your family?
The underwear study – question 3
16. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Have you ever shared your underwear or password with
a friend or member of your family?
The underwear study – question 3
17. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
We won’t focus on everything… ☺
Personal
Computer
Security
Passwords
Social
Engineering
Identity Theft Email Security Safe Browsing
Data Protection Encryption
Physical
Security
Online
Transactions
Security
Digital
Signature &
Certificates
Data Backup
Social
Networking
Antivirus
Protection
Disaster
Recovery
Internet
Security
Credit Card
Frauds
Monitoring
Kids Online
Wireless &
Home Network
Security
Bluetooth
Security
Mobile Device
Security
OS Security
Policies &
Compliance
…
20. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
If an attacker
sends an email to
100 people inside
your company…
…23 people will
open it…
…11 people will
open the
attachment…
…and 6 of them
will do so within
the first hour
Attacks happen fast and are hard to stop
Source: Verizon Data Breach Report
21. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Can we really ignore the human factor?
• 55% of organizations were the target of successful
cyber attacks over the course of a year
• Around 84% of cyberattacks reported were due to
human error
–Failing to apply a patch, easy-to-guess passwords,
phishing, etc.
Source: https://www.computerweekly.com/news/450425184/Security-professionals-name-top-causes-of-breaches
22. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Can we really ignore the human factor?
• 42% percent of security breach victims feel they have
to figure out the cause by themselves
–52% will work with consultants or other outside help
–Under 20% turn to colleagues for advice on data protection
and risk mitigation
Source: https://www.computerweekly.com/news/450425184/Security-professionals-name-top-causes-of-breaches
23. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Can we really ignore the human factor?
• Only 28% follow best practices by erasing and
rebuilding a computer’s software after a potential
malware attack
–The others either manually erase the malware (46%) or rely
on AV tools to identify and clean the malware (24%)
Source: https://www.computerweekly.com/news/450425184/Security-professionals-name-top-causes-of-breaches
24. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
You’ve already got social engineers out there
• Psychologists
• Lawyers
• Governments
• Salespeople
• Recruiters
• Spies
• Scammers
• Identity thieves
• etc. ☺
26. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
• Ransomware-as-a-Service (Karmen)
• Router exploits allowing remote control (Cherry Blossom)
• Data exfiltration via router leds (xLED)
• Attacks on Bluetooth (BlueBorne)
• Hacking phones via ultrasound (DolphinAttack)
• Using HDD noise to steal data (DiskFiltration)
• IoT Botnets (Mirai)
• The ability to build your own BTS for less than 1000$
• Meltdown & Spectre
• …and many, many more
The past couple of years came with new threats
27. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
…and we won’t go into details there either ☺
Equifax Apple Deloitte LinkedIn Sony VK.com Dropbox Amazon Yahoo
Equation
Group
Shadow
Brokers
BlueBorne Ccleaner MySpace ExpensiveWall Dragonfly Punycode BadUSB Superfish Heartbleed
Shellshock Karmen POODLE FREAK GHOST DROWN Dirty COW STAGEFRIGHT QuadRooter XCodeGhost
Mirai Carbanak Gemalto SS7 Locky DMA Locker Surprise Ranscam SWIFT Weebly
Sundown CrypMIC TrickBot Angler RIG Tumblr Neutrino xDedic BlackEnergy ProjectSauron
Adwind Danti SVCMONDR Lazarus FruityArmor ScarCruft Lurk Ammyy Admin Chinastrats Patchwork
TeslaCrypt WannaCry Petya NotPetya Ethereum LeakerLocker CouchPotato NanoCore RAT SambaCry Ropemaker
31. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
• No system is 100% secure
– Anyone who thinks differently will eventually be proven wrong
– Constantly find new ways to make it harder for you to be a target
• Security hasn’t really been a priority in past years
– The essential security elements are rarely looked into
– This has affected the entire IT industry (web apps, OS-es, IoT, etc.)
• When it comes to security, try not to look in the wrong place
– It’s rarely about the technology, it’s often about the people
– Social Engineering and insider threats are on the rise
Things people need to be reminded of