How I'd hack into your business and how you can stop me!
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

How I'd hack into your business and how you can stop me!

on

  • 1,862 views

See firsthand how hackers would attack your business and learn effective countermeasures for peace of mind.

See firsthand how hackers would attack your business and learn effective countermeasures for peace of mind.

Statistics

Views

Total Views
1,862
Views on SlideShare
1,862
Embed Views
0

Actions

Likes
0
Downloads
2
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

How I'd hack into your business and how you can stop me! Presentation Transcript

  • 1. How I’d hack into your business, and how you can stop me! Michael McKinnon, Security Advisor mmckinnon@avg.com.au | @bigmac
  • 2. What are we looking at today? Ask questions! What sort of business do you have? 2 AVG Confidential We are all here to prosper together.
  • 3. Overview Introduction • Who is AVG? • What data are you protecting in your business? Common hack tactics • Phishing, Wireless Networks, Website vulnerabilities • Malicious links, Mobile devices, Automated scans Security, it’s a way of thinking • Protect, Detect and Correct • Staying in the “know” when it comes to security. 3 AVG Confidential
  • 4. Top line statistics in Australia During 2012 • 5.4 million Australians fell victim to cyber crime • Estimated cost to the economy $1.65 billion • 250 Businesses surveyed found 1 in 5 were victims • No mandatory disclosure laws means the problem may well be much bigger 4 AVG Confidential
  • 5. Business - How vulnerable are you? Is your business MORE or LESS vulnerable than the business next door? 79% victims were targets of opportunity 96% attacks were not highly difficult 85% took two-weeks or more to discover Source: Verizon Data Breach Investigations Report 2012 5 AVG Confidential
  • 6. The solutions are NOT expensive 6 AVG Confidential
  • 7. Tonight is all about the easy wins 80% 20% 7 AVG Confidential
  • 8. Who would hack your business, and why?
  • 9. Motive & opportunity The ability for anyone to attack your business is always based on two factors: • How much they want to (their motive) • How easy it would be to do (their opportunity) When your business is connected to the Internet: • Motivations are magnified by currency exchange rates in poorer countries – something you don‟t value is worth much more. • Opportunity is provided through instant electronic connectivity anywhere in the world. Can be so tempting, that motivation sometimes is hard to identify! 9 AVG Confidential
  • 10. Types of attackers Targeted Attackers Garden Variety Cybercriminals 10 AVG Confidential
  • 11. Motives - Follow the money • Cybercriminals tend to “follow the money” • So, the types of attack are often predictable • • • • • Credit card data Private customer information Refund / returns policy Bank accounts Financial processes • Think about the money leaving the business… 11 AVG Confidential
  • 12. Example – Stealing POS transaction data • Lots of examples in the news… http://www.cio.com.au/article/436663/two_romanians_plead_guilty_point-of-sale_hacking/ 12 AVG Confidential
  • 13. Motives – Using your reputation • When money isn‟t available, you are the stepping stone • You could be related to the “real” target • So, the types of attack change slightly • • • • Installing links on your website to snare visitors Private Customer Information Phishing attacks using your e-mail Passing themselves off as your business • The damage to your reputation could last a life time 13 AVG Confidential
  • 14. Types of attack
  • 15. Common types of attack How many involve the incorrect use of passwords? 5 out of 10 * Source: Verizon Data Breach Investigations Report 2012 15 AVG Confidential
  • 16. Malware / Trojans • Common varieties that cause general havoc (Fake antivirus, ransomware) • Retail / POS specific – “RAM Scrapers” (Designed to exflitrate transaction data) • Remote Control Trojan or Rootkit (Designed to remain hidden for future access) 16 AVG Confidential
  • 17. Hacking • When combined with custom written malware, this is highly-targeted and designed to avoid detection and remain in place for a long time. • In 2011, Verizon reported that 81% of incidents utilised some form of hacking. 17 AVG Confidential
  • 18. Attack vectors
  • 19. #1. Default passwords 1. The user manual says: “Step 1. Change the default password” 2. Far too common that these are not changed, or they‟re changed to someone else‟s “default” password (which is widely known) 19 AVG Confidential
  • 20. Passwords – Back to basics! What should we aim for in a password? • • Should be easy for you to remember Should be hard for someone else to guess (and “brute-force”) 20 AVG Confidential
  • 21. Passwords – World’s top 10 most used • • • • • 21 AVG Confidential 123456 123456789 Password 12345678 654321 • • • • • Password1 Password123 1234567 abc123 Qwerty
  • 22. Can someone guess your password? • Favourite football team? • Pet‟s name? • Family members? 22 AVG Confidential
  • 23. Rank these passwords in order of strength… 1. E56#av+Yb! 2. Password123 3. aaaaaAAAAA#####43 4. 123456 5. lucasjames 23 AVG Confidential MOST SECURE
  • 24. Why? Anatomy of a good password • • • • • • The password: aaaaaAAAAA#####43 It is 17 characters in length Contains upper and lowercase letters Contains numbers Contains the „#‟ symbol How many combinations? • • 24 AVG Confidential 72 combinations, 17 combinations long is 72^17 That‟s 37 thousand billion billion billion combinations!
  • 25. Password separation • Make new passwords for different accounts you access… • Start with your “base” password (aaaaaAAAAA#####43) • • • 25 aaaaaAAAAA#####43fb • • “Facebook” – you could take the letters “f” and “b” from Facebook and create a new password: aaaaaAAAAA#####43tr “Twitter” – you could take the letters “t” and “r” from Twitter and create another password: Mix it up! Be creative! And don‟t use these examples! AVG Confidential
  • 26. The golden rules of passwords • Never, never, ever give your password to someone else! • Absolute minimum of 15 characters • Use a combination of different characters • • • Upper and lowercase (a – z, A – Z) At least one numeral ( 0 – 9 ) At least one symbol ( !@#$%^&*()_+= ) • • 26 Password length is always better than randomness Must be easy for you to remember AVG Confidential
  • 27. #2. Your vulnerable website • Websites are being compromised too frequently, especially: • Wordpress, Joomla and others • Is your website password also used elsewhere? • Examples of impact to your business could be: • • • • • 27 Theft of credit card details if you have a shopping cart Stolen credentials can be used to access other systems Visitors to your website can be infected/snared into other scams Your website could be implicated in spam or phishing attacks Get your website updated or tested. AVG Confidential
  • 28. #3. Insecure wireless networks • • • 28 Wireless networks are convenient But poorly configured they represent a huge security risk! Data packets can be “sniffed” by nearby attackers AVG Confidential
  • 29. Secure your wireless networks • • • • 29 Amazing how many are insecure – including my GP! Never use “WEP”, always use “WPA” or “WPA2” Wireless password should be very long and NOT easy to remember (okay to write it down somewhere safe) When using public WiFi networks, it‟s always better to use password protected ones rather than “open” wireless networks – easy for criminals to “sniff” the traffic AVG Confidential
  • 30. #4. Incorrect internet banking • Many businesses I speak with are using “Consumer” grade Internet banking • • Not secured with two-factor authentication Sharing logins with bookkeepers etc. (no ability to separate permissions – i.e. who can transfer money?) • • General security when accessing Internet banking • • 30 SOLUTION: Talk to your bank! AVG Confidential Never from an unprotected computer – keyloggers etc. Always bookmark the Bank URL with https://…
  • 31. Internet banking – Two-factor authentication • • 31 Insist on “Two-factor” authentication for business Internet banking; either a security token (preferred) or an SMS response code. Contact your bank ASAP if you find anything unusual AVG Confidential
  • 32. #5. Phishing, spear phishing & whaling • • “Click here to see the details of your order” –> (login page) • 32 Sending of specially crafted e-mails to trick users into divulging sensitive information Does your e-mail use anti-spam to stop these? What about the ones that it won‟t stop? AVG Confidential
  • 33. Scammers & spammers
  • 34. Rogue scanners & fake antivirus 34 AVG Confidential
  • 35. Fake antivirus – Nag screens and pop-ups 35 AVG Confidential
  • 36. Ransomware – Your PC is blocked… “Australian Federal Police” labeled Ransomware – first appeared late September 2012 36 AVG Confidential
  • 37. Scams – Fake Telstra emails 37 AVG Confidential
  • 38. Scams – Fake Facebook emails * Received by AVG on 7 August 2012 38 AVG Confidential
  • 39. Social engineering – Getting you to click 39 AVG Confidential
  • 40. Big events – London 2012 games on YouTube 40 AVG Confidential
  • 41. Mobile security – Rogue apps • • Malicious functionality can communicate with remote servers, install additional malware, botnet functions • 41 Trojan-infected version of „Angry Birds Space‟ appeared in January 2012 Only download from official app stores AVG Confidential
  • 42. SMS scams & extortion attempts 42 AVG Confidential
  • 43. “Microsoft” acam – How the call starts • • …a Partner of Microsoft and Microsoft R&D, given information by your ISP that you are infected… • • …viruses being tracked back to your IP number… • 43 …Microsoft had told them of the failure and that your system was in danger of crashing… …My ID Number is XXX. We have been notified that your system is infected… …have been commissioned by Microsoft to help people remove malware from infected systems… AVG Confidential
  • 44. Mobile security tips
  • 45. Mobile security - What are the risks? • • 45 AVG Confidential Physical loss of the device, still the biggest risk Infection from malware and possible fraud
  • 46. Mobile security – Physical risks • Device locks • • Can you locate your lost/stolen phone? • • 46 AVG Confidential PIN numbers and/or passwords “Find My iPhone/iPad” Android solutions as well
  • 47. Mobile Security - Protecting Mobile Data • What data do you have on your devices? • • • • 47 AVG Confidential Do an audit to find out! Classify your data and think about the consequences Does it need to be mobile? Device encryption available in latest mobile devices
  • 48. Mobile security - Preventing mobile malware • Use anti-malware on your mobile • Don‟t install apps from outside trusted marketplaces • • When installing apps always check permissions • 48 AVG Confidential Never, ever hack your phone • i.e. iPhone/iPad “Jailbreak” or Android “root” Limit/consider implications of clicking on links on a mobile device, especially via social networking sites
  • 49. Protect Detect Correct Adopting a security mindset 4 9
  • 50. Identify and classify your data • • • • Top secret (if obtained could shut your business down) • 50 Consider classifying all the data in your business into three areas: Your strategies around protecting your information will be much easier. AVG Confidential Classified (if obtained would cause embarrassment) Unclassified (everything else, brochures, publicly available)
  • 51. Summary • • • Use strong two-factor authentication whenever you can. • If you didn’t ask for it, don’t click the link. But if you do, make sure you‟ve got software to detect and correct. • 51 Change default passwords, and use strong and long passwords, and separate them. And communicate this advice to your colleagues and staff and even customers! You‟re only as secure as your weakest link. Always update your computers and mobile devices (use auto-update where possible). AVG Confidential
  • 52. Thank you! For more information please visit our website: www.avg.com.au/business facebook.com/avgaunz twitter.com/avgaunz resources.avg.com.au