Cyber Security The business case for Dynamic Risk Assessment...t Sydney Head Office –Level 8, 59...

Sydney Head Office – Level 8, 59 Goulburn Street, Sydney NSW 2000

Melbourne Office – Level 15, 401 Docklands Drive, Docklands VIC 3008

ABN 14 098 237 908

1300 922 923 NATIONAL

+61 (2) 9290 4444 SYDNEY

+61 (3) 8376 9410 MELBOURNE

info@senseofsecurity.com.au

Presented by

The business case for

Dynamic Risk Assessment

Murray Goldschmidt, Chief Operating Officer

14-Nov-19

RMIA Conference 2019

Cyber Security

Agenda

13-Nov-19© Sense of Security Pty Ltd 2019 2

1. Cyber Security Risk Assessments – What

info is the board getting vs needing?

2. Cyber Security Risk Assessments – What

3. Welcome to Dynamic Risk Assessments

4. Case Study – Critical Infrastructure DRA

Agenda

• Visibility

• Make informed

decisions about

the direction of

the business.

• Shareholder

Risk Assessments – What are the

obligations of the board?

Cyber Risk Assessments

https://www.logicmanager.com/erm-software/2017/09/13/equifax-data-

breach-point-of-no-return/

https://www.gao.gov/assets/700/694158.pdf

Configuration Mgt Among a Litany of Other Problems

Implication, Context & Understanding

•Need to understand technical risks

•Which need technical controls

•Which need to be validated

•In the context in which you run your

business

How could they (you) be better

prepared to address cyber security

issues through risk assessment &

risk management?

Enter Dynamic Risk Assessments (Cyber)

Multi Dimensional• Profile the organisation (extensively)• Identify attack vectors• Determine susceptibility to vectors• Understand Stimulus & Response• Feedback, review, change approach,

on the fly• Provide the most relevant info to the

business to manage risk for yourCONTEXT

Management & Board Questions

Aggregation of risks

Relationship between risk types

Impact to overall risk

Do we have a complete

understanding of our risks?

What about emerging threats that

weren’t previously considered?

How quickly can we respond?

Can we contain the impact to the

business?

Problems with Traditional Risk Assessment

But we hired a security guard!

Risk correlation?Cumulative risk?Linear vs Interconnected Risks

Case Study – Dynamic Risk Assessment

owner & operator of a critical infrastructure

https://www.gao.gov/assets/700/694158.pdf

?SegmentationRate Limiting

?Identification

?Detection

1.Gain access to the network

2.Compromise the Microsoft Active Directory domain

3.Locate, access and exfiltrate the primary datasets

4.Gain access to the main Transport Layer Security (TLS) keys responsible for various encryption functions

5.Compromise isolated systems responsible for delivering critical services

Goal Oriented Risk Assessment

•Reconnaissance

•Attack ==> Persistence

•Goal

The Approach – Dynamic Risk Assessment

Enumerate the external perimeter as much as possible

(IP space, DNS records, Exposed services, technologies in play, SaaS/PaaS etc)

Reconnaissance phase

Perform intelligence gathering on as many employees as possible

Identify possible WiFi networks used by the client.

Perform physical reconnaissance of the corporate offices and identify entry points for

gaining entry

Good Old O365 Defaults …..

An attacker successfully guesses a correct password using a password spraying

technique against an externally exposed outlook web application interface:

The attacker attempts to login to the organisations office365 instances with the newly compromised

credentials but is greeted with a prompt for multi-factor authentication:

Not to be deterred the attacker attempts to add the account via a local copy of outlook

However, the attacker is also prompted to confirm his/her identity via MFA:

Luckily for the attacker the Office 365 administrator has not correctly configured security

permissions for local Outlook applications. Which means the attacker can add a MFA source of

their choosing:

The attacker then receives the MFA code and can proceed with adding the mailbox to their local

outlook instance:

The attacker then receives the MFA code and can proceed with adding the mailbox to

their local outlook instance:

After outlook is restarted, the attacker now has the new mailbox added to their local application

The attacker can now access the organisations Office365 applications and services, all while using

their newly created MFA method:

Persistence phase

• Social engineering

• Phishing

Persistence phase

• Tailgating/physical access

LAN TURTLE

Persistence phase

Remote Access – Back Channel

CORP Network

2.Compromise the domain

The Goal

#Goal 1 Achieved

I like to live dangerously!

I login as a Domain Admin

The Goal

#Goal 2 Achieved

I like to live dangerously!

I login as a Domain Admin

The Goal

#Goal 3 Achieved

The Goal

#Goal 4 Achieved

The Goal

#Goal 5 Achieved

Living off the LandAll goals achieved without

exploiting any vulnerabilities

Security Controls in Place (Good Risk Mgt)

• ISO 27001 (ISMS)• Network Access Control• Outsourced Cyber Security Monitoring• Firewalls, VPNs, Vuln Mgt, Anti Malware etc etc• MFA on Remote Access• MFA on Email• Strong Password Policy• Password Vault for Key Servers with Unique passwords• Privilege Access Mgt Controls – Limited Admins• Swipe Cards for Office Locations

Let down by ….

• Physical access to office• Assumptions on security controls in O365• MFA not correctly configured• Cached admin credentials• Password reuse• Inadequate BIOS controls; Inconsistent Disk Encryption• Falling dominos …. Once Domain is Compromised• SecOps asleep at the wheel• File Server -> Change Requests -> SOPs with system

names -> password safe -> server access -> password safe -> data decryption -> browser cached creds -> system access

• Risk Assessments for this Org were all ok :)

• Risk assessments were asking the right questions – but in isolation

• The business operates in an ecosystem - everything is connected and

compromised

• Risks needs to be assessed dynamically, with context

• “Dynamic Risk Assessments" should be included to give additional

assurance that controls in place are adequate & effective.

Conclusion

Red Team Assessment

• Cyber Risk Assessments require CONTEXT. You need to

understand your environment, your business systems and the

attack vectors that are likely to apply to YOU.

• A Risk Assessment is really only as good as the scope of what

you are looking at. Choose a narrow scope and you will only

protect against a subset of the possible threats (and probably the

wrong ones). You really need to be asking the RIGHT questions,

not just a bunch of questions.

• Attacks generally exploit technical weaknesses and people.

Buying technology doesn’t fix this. The implementation and

ongoing management of the technology is paramount. Personnel

need to operate as Human Firewalls.

3 Key Take Aways

Do you have

any questions?

Sydney Head Office – Level 8, 59 Goulburn Street, Sydney NSW 2000

Melbourne Office – Level 15, 401 Docklands Drive, Docklands VIC 3008

ABN 14 098 237 908

Contact us to discuss how our

security solutions can help protect

your most vital assets.

1300 922 923 NATIONAL

+61 (2) 9290 4444 SYDNEY

+61 (3) 8376 9410 MELBOURNE

info@senseofsecurity.com.au

senseofsecurity.com.au

Cyber Security The business case for Dynamic Risk Assessment...t Sydney Head Office –Level 8, 59...

Documents

Transcript of Cyber Security The business case for Dynamic Risk Assessment...t Sydney Head Office –Level 8, 59...

DECISION - CatholicCare | Canberra & Goulburn · Roman Catholic Archdiocese of Canberra and Goulburn CatholicCare Canberra & Goulburn Enterprise Agreement(CatholicCare Canberra &

Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290

Australia: Best Practices. Canberra, Goulburn, Sydney, Melbourne, Brisbane, Perth SE and SW are agricultural areas Population very urbanized: most in.

DOCKLANDS-ENGLISH MENU

Docklands, - oti.com.au

Best practice guidelines: managing threatened beach ... · 59–61 Goulburn Street, Sydney PO Box A290, Sydney South 1232 Phone: (02) 9995 5000 (switchboard) Phone: 131 555 (information

Docklands and Victoria Harbour Field trip. Melbourne Docklands - The Transformation The area now known as Docklands was once a hunting and meeting place.

Icehouse warms up Docklands - Docklands News

Goulburn Mulwaree District Final Report 2015 · Final Report Braidwood Road - Goulburn, Goulburn Mulwaree 2015 Base Date Goulburn Mulwaree LGA Contract No. 347727 Final Report 2015

Docklands Design and Construction Standards · Web viewThe Docklands Design and Construction Standards Public Infrastructure Works (Docklands D&C Standards) is intended for use by

DOCKLANDS WATERWAYS VESSEL TRAFFIC STUDY AND … · docklands coordination committee report agenda item 5.4 docklands waterways vessel traffic study and related strategic documents

featuring a Melbourne to Sydney heritage rail journey · Southern Aurora Junee - Lunch at the Railway Station Café Goulburn - short stop Sydney - disembark the Southern Aurora at

Docklands Dc Data Sheet

Strategic Environmental Compliance and Performance Review ...59–61 Goulburn Street, Sydney PO Box A290 Sydney South, NSW 1232 Phone: (02) 9995 5000 (switchboard) Phone: 131 555 (environment

Docklands jug-aug15-sde

Goulburn Mulwaree Council › files › sharedassets › ... · South Wales, Australia between the State’s capital, Sydney, and Australia’s capital, Canberra. It has a strategic

DOCKLANDS - ENGLISH MENU

GDIF Greenwich + Docklands International Festival 2019 · Greenwich + Docklands International Festival 2019 Welcome to the Greenwich and Docklands International Festival 2018 BROCHURE,

Goulburn High School...Goulburn High School Phone: 48214022 Fax: 48221437 Goldsmith Street Goulburn NSW 2580 5th December 2012 12/12 Principal’s Report Emmot Falconer Goulburn Police

Docklands medical centre