2. 2015 US Platinum Meeting | New Orleans
pete.pouridis@mcx.com
469-312-2119
3. “Companies spend millions of
dollars on firewalls, encryption,
and secure access devices and
it's money wasted because
none of these measures
address the weakest link in the
security chain: the people who
use, administer, operate and
account for computer systems
that contain protected
information”
Kevin Mitnick
The Human Element of
Information Security
2015 US Platinum Meeting | New Orleans
4. 2015 US Platinum Meeting | New Orleans
• Over 60% were stolen Credentials obtained
through SE attacks
• 28% of Breached resulted from week
passwords
80% of all breached retailers were PCI
Compliant at the time of the breach
5. The Attack Vector Of Choice
• Advancement of Technology Systems
• Majority rely on Static Credentials
o User Name and Password
o Cumbersome, inconvenient, not user friendly
• Exploit Human Behavior
o Trust of the Millennial Generation
o Adoption and understanding of older generation
• Exploit Human Motivators
o Fear
o Greed
o Willingness to Please or Serve
2015 US Platinum Meeting | New Orleans
6. The Attack Cycle
Typical 4 Steps
1. Information Gathering
o Success of an attack depends on this step
o Most important to focus on and affect success
2. Establishing Trust/Rapport
o Instantly
o Over time
3. Exploitation
o Attack focuses on trust/rapport built
o Affirming or Validating themselves to target
4. Execution
2015 US Platinum Meeting | New Orleans
8. Pick Your Poison
2015 US Platinum Meeting | New Orleans
Phishing
• Phishing scams use spoofed emails and
websites as lures to prompt people to
voluntarily hand over sensitive
information.
9. 2015 US Platinum Meeting | New Orleans
Spear Phishing
• Spear phishing is an e-mail spoofing
fraud attempt that targets a specific
organization, seeking unauthorized
access to confidential data
• The spear phisher thrives on familiarity
He knows your name, your email
address and something about you
• Typically not “Random Hackers”
10. Spear Phishing
“Fear Example”
If you hover your mouse over the links
in the email you can see the actual
website the link will take you to on the
bottom bar
13. 2015 US Platinum Meeting | New Orleans
• Telephone version of phishing is
often called Vishing
• Can be used alone or in
conjunction with a Phishing email
Vishing
• Relies on “social engineering”
techniques to trick one into
providing PII or valuable
Information
14. 2015 US Platinum Meeting | New Orleans
• “Smishing” uses cell phone
text messages to lure
consumers in. Often the text
will contain a URL or phone
number
• The phone number often
has an automated voice
response system which asks
for your immediate
attention
Smishing
• In many cases, the
Smishing message
will come from a
"5000" number
instead of displaying
an actual phone
number
• This usually indicates
the SMS message
was sent via email
16. 2015 US Platinum Meeting | New Orleans
Malvertising
• A malicious form of Internet
advertising used to spread
malware
• Hiding malicious code within
relatively safe online
advertisements. These ads can
lead a victim to unreliable
content or directly infect a
victim's computer with malware
• Relies on social network
advertising or user-supplied
content publishing services
18. Mitigating the Risk
• Have a policy in place
• Educate Your Staff And Associates
o Don’t click through Emails or Texts from Unknown
Sources
o Don’t publish/share job-related activities on social
media and forums
2015 US Platinum Meeting | New Orleans
20. Mitigating the Risk
• Have a policy in place
• Educate Your Staff And Associates
o Don’t click through Emails or Texts from Unknown
Sources
o Don’t publish/share job-related activities on social
media and forums
o Regular Social Pen Testing and Training
o 3rd Party Vendors and Partners
o Protecting your personal and company information
o Call Centers and Support Desk
2015 US Platinum Meeting | New Orleans
21. Mitigating the Risk
• Network Access
• Local Administrator Permissions
• Two Factor Authentication as a minimum Standard
• DLP and Data Categorization
• Cloud Based Storage and Collaboration Share Drives
• Password protecting Files
• Adopt Strong User Name and Password Standards
o Regular Changing of Passwords
o Use of Password “E-Vault” Applications
o Use Single Sign On
o Move away from static credentials
2015 US Platinum Meeting | New Orleans
Company attacks to gain financial or corporate secrets
Consumer [personal] – Comes to you as ATO
In many ways in the weakest link
Not effectively addressed, if at all, in a comprehensive security framework
This is a graphical interpretation of the larger breaches over the past 2 years
60% of people use the same username and PW
High Level Associates – Typically give Exec admins/Assistance their credentials and access.
Exec Admin/Assistant typically has elevated access and, to Confidential Information
Very High Conversion Rates 2/3 % v. 25/30 %
4 STEPS of An ATTACK CYBCLE
Establish Trust/Rapport
Big Smile or Friendly approach as you grab an opening door
Building an Online profile with the target
Exploitation
Holding Door Open and allowing access to building
Giving up user names and passwords
Use Information gathered to validate themselves to the target
Execution
The goal of the attack is accomplished
Erasing digital footprints
It isn’t surprising, then, that the term “phishing” is commonly used to describe these ploys.
There is also a good reason for the use of “ph” in place of the “f” in the spelling of the term.
Some of the earliest hackers were known as phreaks.
Phreaking refers to the exploration, experimenting and study of telecommunication systems.
Phreaks and hackers have always been closely linked.
The “ph” spelling was used to link phishing scams with these underground communities.
BUT - more likely to be conducted by perpetrators out for financial gain, trade secrets or military information.
Configure your mail/messaging Platform by pre-pending inbound email of the subject line with “External”
People can also use this information to pretend to be you and open new lines of credit.
Common forms of Vishing is calling from Help Desk or IT Support
Continue to build on information they obtain (i.e. Operation System and version) which validates them with the next level of person
Do not respond to Smishing messages– a reply of “STOP” is often used to validate an active number.
Because newer form people are more susceptible to getting hooked
EXAMPLE OF Bad and Legit Text SMS
Malvertising reaches record levels in JuneMalvertising campaigns have reached more users than ever before, reported security firm Invincea yesterday, with many brand-name websites affected. The criminals actually bid for the prime advertising slots, though they probably pay for them with stolen credit card numbers. Then they use zero-day Adobe exploits to install clickfraud, botnet, ransomware, and banking Trojan malware. And the attackers don't stop with just one type of infection, he added. "We have seen instances where the initial infection delivers clickfraud malware and then, say, two days later, it will encrypt the hard disk," he said. The websites themselves were not hacked and, for the most part, the publishers were unaware of the malicious activity, according to Belcher, as the criminals got in through the advertising networks. Another tactic that is becoming more common with attackers is that of "sleeper" malware, which lies dormant after download for 14 hours or longer, in order to evade network sandboxes looking for suspicious activity.
Continues to be one of the most popular attacks
Have a Policy – So that associates know what to do and Who to Call
One of the Biggest Targets - Call Centers being trained on account maintenance protocols, etc.
SOCIAL MEDIA PUBLISHING
Open Source Intelligence – “OSINT”
PROTECTING PERSONAL COMPANY INFO
Again - 60% of people use the same PW for everything
Clear Screen
Have a Policy – So that associates know what to do and Who to Call
One of the Biggest Targets - Call Centers being trained on account maintenance protocols, etc.
SOCIAL MEDIA PUBLISHING
Open Source Intelligence – “OSINT”
SOCIAL PEN TESTING
PHISHING, SPEAR and VISHING
Physical ACCESS
DROP a BLACK BOX on Open Network Jack
DROP THUMB DRIVE
SEND POS KEYBOARD
PROTECTING PERSONAL COMPANY INFO
Again - 60% of people use the same PW for everything
Clear Screen
Move away from static credentials
2 Factor; Dynamic Authentication; BioMetrics