Embed Size (px)
Citation preview
TRANSFORMING CYBERSECURITY, RISK AND CONTROL FOR EVOLVING THREATS
Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM
Cybersecurity Nexus Liaison
ISACA, Indonesia
Cyber Resilience in Financial Institutions
Mitigating cybersecurity risks through an analytical, governance and algorithmic framework
9-11 Mar 2015 Hilton Singapore, Singapore
SCENARIO
• Attacker: 131.107.1.101• Victim 1: 131.107.1.200• Victim 2: 172.101.101.3
• Victim 1: Weak Password• Victim 2: Jboss default Installation
• Video Access:
http://kaminfo.id/demo/1-weak-password.mp4http://kaminfo.id/demo/2-Jboss.mp4http://kaminfo.id/demo/3-sshkey.mp4
First Scenario:
• Attacker do a dictionary attack to the 1st victim. The victim has a weak password quality problem.
• Attacker take a look of victim’s data / information after take over the server.
• Attacker get the web server information (which is Jboss).
Second Scenario:
• Attacker use the victim’s machine to exploit jboss’s server (since the Attacker doesn’t know the
password)
• Attacker gain the access and could take a look the content of the server.
Third Scenario:
• SSH-key
Fourth Scenario: Anti virus AVG2014 bypass http://goo.gl/F70KIH
SCENARIO
Q and A:
• Q: How if the victim (on Linux Machine with root:toor) change their password?
• A:
MANAGING ACCESS
Q and A:
• Q: How if the victim (on Linux Machine with root:toor) change their password?
• A: The Attacker just need to:
1. Change .ssh’s target.
2. Generate authorize key on our machine and paste it into .ssh’s target.
If we do this, every time we would like to connect into the target’s machine via ssh, we
don’t need to input the password anymore even the target already changed their
password.
MANAGING ACCESS
Q: Do you have change your password?
Q: Is it possible that the 2nd scenario happened in the Internet area (not internal?)
Q: Do you ever see your authorized SSH keys on your server?
TEASER Q & A
NETWORK IS COMPROMISED
APT LIFE CYCLE
HOW FAST
TEN ASSESSEMENT SCENARIOS
THREAT
ADAPTIVE ATTACK VECTORSecurity Issue Security Solution Adaptive Attack Vector
Single-factor authentication Multifactor authentication Break into token vendor
Malware writer, masquerade Digital certificate Break into a credible vendor
Antivirus approach -blacklisting
whitelisting Break into application whitelisting vendor (Bit9)
RESPONSE
CYBERVULNERABILITIES, THREAT AND RISKVulnerability Threat Risk and Impact
Spear phising Attacker may gain access through phish phish payload or combined social-technical technical follow-up
Initial data loss or leakage leading to secondary secondary impact
Water holing Attacker may gain control of websites and and subsequent control of visitor
Initial behavior errors leading to secondary impact
Wireless/Mobile APT Compromise wireless channel to enable enable control
Partial or full control of wireless or mobile; direct/indirect impact on service and application
Zero-day Use zero-day to circumvent defences Partial / full control of application and underlying underlying system
Excessive priviledge Inside attack Full and (technically) legitimate control outsite outsite GRC, secondary impacts
Home user APT Attack use home environment may less well well protected than organization environment
Partial or full control of wireless or mobile; direct/indirect impact on service and application
CYBERVULNERABILITIES IN CONTEXTVulnerability Motive Opportunity Effort
Spear phising Financial, espinage, data theft, prepratory to prepratory to main attack
Email access to target Mediumtohigh, depending on on quality of phish
Water holing Financial, espinage, data theft, prepratory to prepratory to main attack
Email access to target, control of web sites
High, depending on precision precision of targeting
Wireless/Mobile APT Financial, espionage, extortion, theft of personally identifiable information
Proximity to target Low to medium
Zero-day Financial, operational, data theft, extortion, extortion, control of technical infrastructure
Availability of suitable zero-day exploits, organized handling of exploit
Medium to high
Excessive priviledge Financial, personal, data theft, extortion, reputational
Deficiencies in IDM,corruption
Low to medium
Home user APT Financial, espionage, extortion, theft of personally identifiable information
Physical or logical access to access to target
Low to high, depending on level of protection of target environment
PIRT
The CSX Liaison reports to the chapter president.
RISK-BASED CATEGORIZATION CONTROL
•Q&A
•isaca.org/cyber
•ISACA Cybersecurity Teaching Materials
