Cyber Security The business case for Dynamic Risk Assessment...t Sydney Head Office –Level 8, 59...

t

Sydney Head Office – Level 8, 59 Goulburn Street, Sydney NSW 2000

Melbourne Office – Level 15, 401 Docklands Drive, Docklands VIC 3008

ABN 14 098 237 908

1300 922 923 NATIONAL

+61 (2) 9290 4444 SYDNEY

+61 (3) 8376 9410 MELBOURNE

[email protected]

Presented by

The business case for

Dynamic Risk Assessment

Murray Goldschmidt, Chief Operating Officer

14-Nov-19

RMIA Conference 2019

Cyber Security

t

Agenda

13-Nov-19© Sense of Security Pty Ltd 2019 2

1. Cyber Security Risk Assessments – What

info is the board getting vs needing?

2. Cyber Security Risk Assessments – What

type?

3. Welcome to Dynamic Risk Assessments

4. Case Study – Critical Infrastructure DRA

Agenda

t

• Visibility

• Make informed

decisions about

the direction of

the business.

• Shareholder

value

Risk Assessments – What are the

obligations of the board?


t


t

Cyber Risk Assessments


t



t


https://www.logicmanager.com/erm-software/2017/09/13/equifax-data-

breach-point-of-no-return/

https://www.logicmanager.com/erm-software/2017/09/13/equifax-data-breach-point-of-no-return/

t


t


https://www.gao.gov/assets/700/694158.pdf


t

Configuration Mgt Among a Litany of Other Problems


t

Implication, Context & Understanding


•Need to understand technical risks

•Which need technical controls

•Which need to be validated

•In the context in which you run your

business

ICU

t

How could they (you) be better

prepared to address cyber security

issues through risk assessment &

risk management?


t


Enter Dynamic Risk Assessments (Cyber)

Multi Dimensional• Profile the organisation (extensively)• Identify attack vectors• Determine susceptibility to vectors• Understand Stimulus & Response• Feedback, review, change approach,

on the fly• Provide the most relevant info to the

business to manage risk for yourCONTEXT

t

Management & Board Questions


Aggregation of risks

Relationship between risk types

Impact to overall risk

Do we have a complete

understanding of our risks?

What about emerging threats that

weren’t previously considered?

How quickly can we respond?

Can we contain the impact to the

business?

t

Problems with Traditional Risk Assessment


But we hired a security guard!

Risk correlation?Cumulative risk?Linear vs Interconnected Risks

t


t

Case Study – Dynamic Risk Assessment

owner & operator of a critical infrastructure


t


t


?SegmentationRate Limiting

t


?Identification

t


?Detection

t

1.Gain access to the network

2.Compromise the Microsoft Active Directory domain

3.Locate, access and exfiltrate the primary datasets

4.Gain access to the main Transport Layer Security (TLS) keys responsible for various encryption functions

5.Compromise isolated systems responsible for delivering critical services

Goal Oriented Risk Assessment


t

•Reconnaissance

•Attack ==> Persistence

•Goal

The Approach – Dynamic Risk Assessment


t

Enumerate the external perimeter as much as possible

(IP space, DNS records, Exposed services, technologies in play, SaaS/PaaS etc)

Reconnaissance phase


Perform intelligence gathering on as many employees as possible

Identify possible WiFi networks used by the client.

Perform physical reconnaissance of the corporate offices and identify entry points for

gaining entry

t

Good Old O365 Defaults …..


t


An attacker successfully guesses a correct password using a password spraying

technique against an externally exposed outlook web application interface:

t


The attacker attempts to login to the organisations office365 instances with the newly compromised

credentials but is greeted with a prompt for multi-factor authentication:

t


Not to be deterred the attacker attempts to add the account via a local copy of outlook

t


However, the attacker is also prompted to confirm his/her identity via MFA:

t


Luckily for the attacker the Office 365 administrator has not correctly configured security

permissions for local Outlook applications. Which means the attacker can add a MFA source of

their choosing:

t


The attacker then receives the MFA code and can proceed with adding the mailbox to their local

outlook instance:

t


The attacker then receives the MFA code and can proceed with adding the mailbox to

their local outlook instance:

t


After outlook is restarted, the attacker now has the new mailbox added to their local application

t


The attacker can now access the organisations Office365 applications and services, all while using

their newly created MFA method:

t

Persistence phase


t

• Social engineering

• Phishing

Persistence phase


t

• Tailgating/physical access

LAN TURTLE

Persistence phase


t


t


Remote Access – Back Channel

CORP Network

t


2.Compromise the domain




The Goal


#Goal 1 Achieved

t


t


I like to live dangerously!

I login as a Domain Admin

t


t






The Goal


#Goal 2 Achieved

t


t


I like to live dangerously!

I login as a Domain Admin

t


t






The Goal


#Goal 3 Achieved

t


t






The Goal


#Goal 4 Achieved

t


t






The Goal


#Goal 5 Achieved

t


Living off the LandAll goals achieved without

exploiting any vulnerabilities

t

Security Controls in Place (Good Risk Mgt)


• ISO 27001 (ISMS)• Network Access Control• Outsourced Cyber Security Monitoring• Firewalls, VPNs, Vuln Mgt, Anti Malware etc etc• MFA on Remote Access• MFA on Email• Strong Password Policy• Password Vault for Key Servers with Unique passwords• Privilege Access Mgt Controls – Limited Admins• Swipe Cards for Office Locations

t

Let down by ….


• Physical access to office• Assumptions on security controls in O365• MFA not correctly configured• Cached admin credentials• Password reuse• Inadequate BIOS controls; Inconsistent Disk Encryption• Falling dominos …. Once Domain is Compromised• SecOps asleep at the wheel• File Server -> Change Requests -> SOPs with system

names -> password safe -> server access -> password safe -> data decryption -> browser cached creds -> system access

t

• Risk Assessments for this Org were all ok :)

• Risk assessments were asking the right questions – but in isolation

• The business operates in an ecosystem - everything is connected and

related

• There were no “vulnerabilities” yet the business was totally

compromised

• Risks needs to be assessed dynamically, with context

• “Dynamic Risk Assessments" should be included to give additional

assurance that controls in place are adequate & effective.

Conclusion


Red Team Assessment

t

• Cyber Risk Assessments require CONTEXT. You need to

understand your environment, your business systems and the

attack vectors that are likely to apply to YOU.

• A Risk Assessment is really only as good as the scope of what

you are looking at. Choose a narrow scope and you will only

protect against a subset of the possible threats (and probably the

wrong ones). You really need to be asking the RIGHT questions,

not just a bunch of questions.

• Attacks generally exploit technical weaknesses and people.

Buying technology doesn’t fix this. The implementation and

ongoing management of the technology is paramount. Personnel

need to operate as Human Firewalls.

3 Key Take Aways


t

Do you have

any questions?


t

Sydney Head Office – Level 8, 59 Goulburn Street, Sydney NSW 2000

Melbourne Office – Level 15, 401 Docklands Drive, Docklands VIC 3008

ABN 14 098 237 908

Contact us to discuss how our

security solutions can help protect

your most vital assets.

1300 922 923 NATIONAL

+61 (2) 9290 4444 SYDNEY

+61 (3) 8376 9410 MELBOURNE

[email protected]

senseofsecurity.com.au

Cyber Security The business case for Dynamic Risk Assessment...t Sydney Head Office –Level 8, 59...

Documents

Transcript of Cyber Security The business case for Dynamic Risk Assessment...t Sydney Head Office –Level 8, 59...