A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market:...
Transcript of A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market:...
![Page 1: A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market: Types of Hackers ... Hackers for Hire Cybercrime Business Models: Verticals. Cybersecurity](https://reader033.fdocuments.in/reader033/viewer/2022060523/6053437d62634e56c6577696/html5/thumbnails/1.jpg)
A Brief Look at CybersecurityMay 14, 2015
Nate Gravel CISA, CISM, CRISCDirector – Information Security Practice
W. Jackson SchultzSecurity Consultant – Information Security Practice
![Page 2: A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market: Types of Hackers ... Hackers for Hire Cybercrime Business Models: Verticals. Cybersecurity](https://reader033.fdocuments.in/reader033/viewer/2022060523/6053437d62634e56c6577696/html5/thumbnails/2.jpg)
Founded in 1994
Located in Peabody
Family-Owned and Operated
Information Security Practice Risk Management and Compliance
IT Assurance
IT Audit
GraVoc Associates, Inc.
![Page 3: A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market: Types of Hackers ... Hackers for Hire Cybercrime Business Models: Verticals. Cybersecurity](https://reader033.fdocuments.in/reader033/viewer/2022060523/6053437d62634e56c6577696/html5/thumbnails/3.jpg)
Recent Events & Regulatory Developments
Cybercrime Markets & Business Models
Cybersecurity Trends & Emerging Threats
Countermeasures & Security Best Practices
Question & Answer
Today’s Agenda
![Page 4: A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market: Types of Hackers ... Hackers for Hire Cybercrime Business Models: Verticals. Cybersecurity](https://reader033.fdocuments.in/reader033/viewer/2022060523/6053437d62634e56c6577696/html5/thumbnails/4.jpg)
Recent Events & Regulatory Developments
![Page 5: A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market: Types of Hackers ... Hackers for Hire Cybercrime Business Models: Verticals. Cybersecurity](https://reader033.fdocuments.in/reader033/viewer/2022060523/6053437d62634e56c6577696/html5/thumbnails/5.jpg)
Recent Events
Target: 40 Million Credit
Cards Compromised
- CNN, December 19, 2013
![Page 6: A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market: Types of Hackers ... Hackers for Hire Cybercrime Business Models: Verticals. Cybersecurity](https://reader033.fdocuments.in/reader033/viewer/2022060523/6053437d62634e56c6577696/html5/thumbnails/6.jpg)
Recent Events
OpenSSL Heartbleed: The Bug That Could Affect Two-Thirds of Web- ABC, April 12, 2014
![Page 7: A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market: Types of Hackers ... Hackers for Hire Cybercrime Business Models: Verticals. Cybersecurity](https://reader033.fdocuments.in/reader033/viewer/2022060523/6053437d62634e56c6577696/html5/thumbnails/7.jpg)
Recent Events
Home Depot Hack Could Lead to $3 Billion in Fraudulent Charges- CBS News, September 16, 2014
![Page 8: A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market: Types of Hackers ... Hackers for Hire Cybercrime Business Models: Verticals. Cybersecurity](https://reader033.fdocuments.in/reader033/viewer/2022060523/6053437d62634e56c6577696/html5/thumbnails/8.jpg)
Recent Events
Shellshock makes Heartbleed
Look Insignificant
- ZDNet, September 29, 2014
![Page 9: A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market: Types of Hackers ... Hackers for Hire Cybercrime Business Models: Verticals. Cybersecurity](https://reader033.fdocuments.in/reader033/viewer/2022060523/6053437d62634e56c6577696/html5/thumbnails/9.jpg)
Recent Events
JPMorgan Chase Says 76 Million Households Affected by Data Breach- NBC News, October 3, 2014
![Page 10: A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market: Types of Hackers ... Hackers for Hire Cybercrime Business Models: Verticals. Cybersecurity](https://reader033.fdocuments.in/reader033/viewer/2022060523/6053437d62634e56c6577696/html5/thumbnails/10.jpg)
Recent Events
Cyber Attack Could Cost Sony
Studios as Much as $100 Million
- Reuters, December 10, 2014
![Page 11: A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market: Types of Hackers ... Hackers for Hire Cybercrime Business Models: Verticals. Cybersecurity](https://reader033.fdocuments.in/reader033/viewer/2022060523/6053437d62634e56c6577696/html5/thumbnails/11.jpg)
Recent Events
Millions of Anthem Customers
Targeted in Cyber Attack
- The New York Times, February 5, 2015
![Page 12: A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market: Types of Hackers ... Hackers for Hire Cybercrime Business Models: Verticals. Cybersecurity](https://reader033.fdocuments.in/reader033/viewer/2022060523/6053437d62634e56c6577696/html5/thumbnails/12.jpg)
Recent Events
Fraudsters Drain Starbucks
Accounts
- BankInfoSecurity, May 13, 2015
![Page 13: A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market: Types of Hackers ... Hackers for Hire Cybercrime Business Models: Verticals. Cybersecurity](https://reader033.fdocuments.in/reader033/viewer/2022060523/6053437d62634e56c6577696/html5/thumbnails/13.jpg)
Recent Regulatory Developments
Cybersecurity FrameworkFebruary, 2014
Summary:
Identify, Protect, Detect, Respond, Recover
![Page 14: A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market: Types of Hackers ... Hackers for Hire Cybercrime Business Models: Verticals. Cybersecurity](https://reader033.fdocuments.in/reader033/viewer/2022060523/6053437d62634e56c6577696/html5/thumbnails/14.jpg)
Recent Regulatory Developments
Joint Statements on Cybersecurity Threats
April, 2014 - Present
Including:
DDoS, Shellshock, ATM Cash Out, Malware, Credentials
![Page 15: A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market: Types of Hackers ... Hackers for Hire Cybercrime Business Models: Verticals. Cybersecurity](https://reader033.fdocuments.in/reader033/viewer/2022060523/6053437d62634e56c6577696/html5/thumbnails/15.jpg)
Recent Regulatory Developments
Cybersecurity Assessment General Observations
November, 2014
Areas for Improvement:
Threat Intelligence & Collaboration
Cyber Incident Management & Resilience
External Dependency (Vendor) Management
![Page 16: A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market: Types of Hackers ... Hackers for Hire Cybercrime Business Models: Verticals. Cybersecurity](https://reader033.fdocuments.in/reader033/viewer/2022060523/6053437d62634e56c6577696/html5/thumbnails/16.jpg)
Cybercrime Markets & Business Models
![Page 17: A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market: Types of Hackers ... Hackers for Hire Cybercrime Business Models: Verticals. Cybersecurity](https://reader033.fdocuments.in/reader033/viewer/2022060523/6053437d62634e56c6577696/html5/thumbnails/17.jpg)
In 2014, the cybercrime market caused an estimated $120 billion in direct cash loss to U.S. businesses and consumers.
Cybercrime Market
![Page 18: A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market: Types of Hackers ... Hackers for Hire Cybercrime Business Models: Verticals. Cybersecurity](https://reader033.fdocuments.in/reader033/viewer/2022060523/6053437d62634e56c6577696/html5/thumbnails/18.jpg)
$120 billion could buy:
Cybercrime Market
![Page 19: A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market: Types of Hackers ... Hackers for Hire Cybercrime Business Models: Verticals. Cybersecurity](https://reader033.fdocuments.in/reader033/viewer/2022060523/6053437d62634e56c6577696/html5/thumbnails/19.jpg)
Cybercrime: The Underground Economy
Stolen Assets/ Criminal Activity Payout
Credit Card Numbers $5- $10 for virgin account
Bank Credentials $80 - $700
Bank Transfers 10% - 50%
Social Security Number $30 - $50
Zero Day Exploits $1,000 - $100,000
Exploits for Known Vulnerabilities $500 - $2,000
Malware (Pay per Install) Up to $1.50 (U.S. victims)
![Page 20: A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market: Types of Hackers ... Hackers for Hire Cybercrime Business Models: Verticals. Cybersecurity](https://reader033.fdocuments.in/reader033/viewer/2022060523/6053437d62634e56c6577696/html5/thumbnails/20.jpg)
Hacktivist
Government/state-sponsored
Cyber-terrorist
Black Hat
White Hat
Grey Hat
Cybercrime Market:Types of Hackers
![Page 21: A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market: Types of Hackers ... Hackers for Hire Cybercrime Business Models: Verticals. Cybersecurity](https://reader033.fdocuments.in/reader033/viewer/2022060523/6053437d62634e56c6577696/html5/thumbnails/21.jpg)
Create Revenue-Generating Framework
Assign Unique Roles Amongst Members
Share Profits (% depends on role)
Cybercrime Business Models
Organized.
Traditional mafia families have moved into cyber crime space
![Page 22: A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market: Types of Hackers ... Hackers for Hire Cybercrime Business Models: Verticals. Cybersecurity](https://reader033.fdocuments.in/reader033/viewer/2022060523/6053437d62634e56c6577696/html5/thumbnails/22.jpg)
Leader
Malware Developer
Rootkit Developer
Exploit Developer
Hacker
Cybercrime Business Model:Typical Group Roles
![Page 23: A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market: Types of Hackers ... Hackers for Hire Cybercrime Business Models: Verticals. Cybersecurity](https://reader033.fdocuments.in/reader033/viewer/2022060523/6053437d62634e56c6577696/html5/thumbnails/23.jpg)
Botnet Services
DDoS Attacks
Malware (Rogue Antivirus, Ransomware)
Access to Corporate Networks
Hackers for Hire
Cybercrime Business Models:Verticals
![Page 24: A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market: Types of Hackers ... Hackers for Hire Cybercrime Business Models: Verticals. Cybersecurity](https://reader033.fdocuments.in/reader033/viewer/2022060523/6053437d62634e56c6577696/html5/thumbnails/24.jpg)
Cybersecurity Trends & Emerging Threats
![Page 25: A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market: Types of Hackers ... Hackers for Hire Cybercrime Business Models: Verticals. Cybersecurity](https://reader033.fdocuments.in/reader033/viewer/2022060523/6053437d62634e56c6577696/html5/thumbnails/25.jpg)
Social engineering:
The art of manipulating people into performing actions or divulging confidential information.
Cybersecurity Trends: Social Engineering
![Page 26: A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market: Types of Hackers ... Hackers for Hire Cybercrime Business Models: Verticals. Cybersecurity](https://reader033.fdocuments.in/reader033/viewer/2022060523/6053437d62634e56c6577696/html5/thumbnails/26.jpg)
Cybersecurity Trends: Social Engineering
Phishing
Pretext Calling
Baiting
Tailgating
Impersonation
![Page 27: A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market: Types of Hackers ... Hackers for Hire Cybercrime Business Models: Verticals. Cybersecurity](https://reader033.fdocuments.in/reader033/viewer/2022060523/6053437d62634e56c6577696/html5/thumbnails/27.jpg)
Cybersecurity Trends: Social Engineering
A primary threat of the “Information Age”
Becoming increasingly sophisticated
![Page 28: A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market: Types of Hackers ... Hackers for Hire Cybercrime Business Models: Verticals. Cybersecurity](https://reader033.fdocuments.in/reader033/viewer/2022060523/6053437d62634e56c6577696/html5/thumbnails/28.jpg)
Used to gather information (TMI)
Trusted community
Easy target for social engineers and hackers
Malware
Cybersecurity Trends:Social Engineering & Social Media
![Page 29: A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market: Types of Hackers ... Hackers for Hire Cybercrime Business Models: Verticals. Cybersecurity](https://reader033.fdocuments.in/reader033/viewer/2022060523/6053437d62634e56c6577696/html5/thumbnails/29.jpg)
Targeted attacks
Get most information from legitimate sources like Registry of Deeds
Cybersecurity Trends: Social EngineeringHELOC Wire Fraud
Throughout MA (2012-2013)FIs: Multiple
![Page 30: A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market: Types of Hackers ... Hackers for Hire Cybercrime Business Models: Verticals. Cybersecurity](https://reader033.fdocuments.in/reader033/viewer/2022060523/6053437d62634e56c6577696/html5/thumbnails/30.jpg)
Targets business online banking accounts
Relies on weaknesses in multifactor authentication and end-user (customer) control environment
Some experts estimate $754 million in losses from CATO by 2016
Cybersecurity Trends:Corporate Account Takeover (CATO)
![Page 31: A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market: Types of Hackers ... Hackers for Hire Cybercrime Business Models: Verticals. Cybersecurity](https://reader033.fdocuments.in/reader033/viewer/2022060523/6053437d62634e56c6577696/html5/thumbnails/31.jpg)
$588,851 stolen
Changed liability landscape for financial institutions
Cybersecurity Trends:Corporate Account Takeover (CATO)
PATCO (2009-2012)FI: Ocean Bank (People’s United)
![Page 32: A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market: Types of Hackers ... Hackers for Hire Cybercrime Business Models: Verticals. Cybersecurity](https://reader033.fdocuments.in/reader033/viewer/2022060523/6053437d62634e56c6577696/html5/thumbnails/32.jpg)
Difficult to Defend
Use Network of Compromised Systems (Botnet) to Create Flood of Traffic
Rely on General Lack of Security Awareness
Cybersecurity Trends:Distributed Denial of Service (DDoS)
![Page 33: A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market: Types of Hackers ... Hackers for Hire Cybercrime Business Models: Verticals. Cybersecurity](https://reader033.fdocuments.in/reader033/viewer/2022060523/6053437d62634e56c6577696/html5/thumbnails/33.jpg)
Over $900,000 stolen
DDoS on Bank website used as decoy for CATO
Cybersecurity Trends:Distributed Denial of Service (DDoS)
Ascent Builders (2012)FI: Bank of the West
![Page 34: A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market: Types of Hackers ... Hackers for Hire Cybercrime Business Models: Verticals. Cybersecurity](https://reader033.fdocuments.in/reader033/viewer/2022060523/6053437d62634e56c6577696/html5/thumbnails/34.jpg)
ATMs, gas pumps, point of sale (POS) terminals
Can be added and removed by attackers in seconds.
Used to steal card data and PIN
Cybersecurity Trends: Skimming Devices
![Page 35: A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market: Types of Hackers ... Hackers for Hire Cybercrime Business Models: Verticals. Cybersecurity](https://reader033.fdocuments.in/reader033/viewer/2022060523/6053437d62634e56c6577696/html5/thumbnails/35.jpg)
Malicious code or virus
Used to steal data or remotely control infected device (botnet) to carry out attacks (DoS and DDoS)
Prolific: 40,000 new strains per day
Cybersecurity Trends: Malware
![Page 36: A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market: Types of Hackers ... Hackers for Hire Cybercrime Business Models: Verticals. Cybersecurity](https://reader033.fdocuments.in/reader033/viewer/2022060523/6053437d62634e56c6577696/html5/thumbnails/36.jpg)
Viruses
Trojans
Worms and Bugs
Adware
Spyware
Ransomware
Cybersecurity Trends: Types of Malware
![Page 37: A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market: Types of Hackers ... Hackers for Hire Cybercrime Business Models: Verticals. Cybersecurity](https://reader033.fdocuments.in/reader033/viewer/2022060523/6053437d62634e56c6577696/html5/thumbnails/37.jpg)
OpenSSL Heartbleed
Shellshock (BashBug)
POODLE (SSL v3)
Sandworm
Venom
Emerging Threats:Web-Based & Zero-Day Vulnerabilities
![Page 38: A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market: Types of Hackers ... Hackers for Hire Cybercrime Business Models: Verticals. Cybersecurity](https://reader033.fdocuments.in/reader033/viewer/2022060523/6053437d62634e56c6577696/html5/thumbnails/38.jpg)
Zero Day Exploit: Venom Vulnerability
Announced yesterday
Likely affects millions of devices
Allows hackers to break into every CPU on a datacenter’s network by accessing all virtual machines.
![Page 39: A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market: Types of Hackers ... Hackers for Hire Cybercrime Business Models: Verticals. Cybersecurity](https://reader033.fdocuments.in/reader033/viewer/2022060523/6053437d62634e56c6577696/html5/thumbnails/39.jpg)
Emerging Threats: Internet Of Things
All devices connect and interact via Internet
Mostly consumer technology and household appliances
Represents major threat to infrastructure
![Page 40: A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market: Types of Hackers ... Hackers for Hire Cybercrime Business Models: Verticals. Cybersecurity](https://reader033.fdocuments.in/reader033/viewer/2022060523/6053437d62634e56c6577696/html5/thumbnails/40.jpg)
Countermeasures &Security Best Practices
![Page 41: A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market: Types of Hackers ... Hackers for Hire Cybercrime Business Models: Verticals. Cybersecurity](https://reader033.fdocuments.in/reader033/viewer/2022060523/6053437d62634e56c6577696/html5/thumbnails/41.jpg)
Foster a “security culture” (rather than a compliance culture)
Monitor risk identified by internal/external assessments and testing
Begin to recognize security as its own business process/department
Countermeasures: Management
![Page 42: A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market: Types of Hackers ... Hackers for Hire Cybercrime Business Models: Verticals. Cybersecurity](https://reader033.fdocuments.in/reader033/viewer/2022060523/6053437d62634e56c6577696/html5/thumbnails/42.jpg)
Create a governance process that ensures security incidents are escalated appropriately from IT and risk management personnel to Management and, eventually, to the Board
Ensure cybersecurity threats are considered as part of vendor management and due diligence
Countermeasures: Management
![Page 43: A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market: Types of Hackers ... Hackers for Hire Cybercrime Business Models: Verticals. Cybersecurity](https://reader033.fdocuments.in/reader033/viewer/2022060523/6053437d62634e56c6577696/html5/thumbnails/43.jpg)
Increase frequency and scope of patching, system hardening, and vulnerability assessment
Improve detection and response controls through security information and event management (SIEM)
Countermeasures: Technology
![Page 44: A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market: Types of Hackers ... Hackers for Hire Cybercrime Business Models: Verticals. Cybersecurity](https://reader033.fdocuments.in/reader033/viewer/2022060523/6053437d62634e56c6577696/html5/thumbnails/44.jpg)
More in-depth security awareness training and social engineering testing at all levels: staff, management, Board
Continually share information on cyber threats internally and with peer institutions
Increase efforts to educate customers
Countermeasures: Training
![Page 45: A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market: Types of Hackers ... Hackers for Hire Cybercrime Business Models: Verticals. Cybersecurity](https://reader033.fdocuments.in/reader033/viewer/2022060523/6053437d62634e56c6577696/html5/thumbnails/45.jpg)
Question & Answer
![Page 46: A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market: Types of Hackers ... Hackers for Hire Cybercrime Business Models: Verticals. Cybersecurity](https://reader033.fdocuments.in/reader033/viewer/2022060523/6053437d62634e56c6577696/html5/thumbnails/46.jpg)
Question & Answer
![Page 47: A Brief Look at Cybersecurity · 2020. 1. 7. · Black Hat White Hat Grey Hat Cybercrime Market: Types of Hackers ... Hackers for Hire Cybercrime Business Models: Verticals. Cybersecurity](https://reader033.fdocuments.in/reader033/viewer/2022060523/6053437d62634e56c6577696/html5/thumbnails/47.jpg)
Nate GravelDirector – Information Security Practice
978-538-9055 ext. 129
W. Jackson SchultzSecurity Consultant – Information Security Practice
978-538-9055 ext. 131
Thank You!