Cyber Threats for Business - IBM · 2017-03-21 · • ICS-CERT reported that around 300 machines from 40 vendors have hard coded passwords…These include: • Pacemakers • Surgical

© 2017 IBM Corporation

Ray EvansRegional Leader of EMEA, X-Force Red

Who is really in control of our Systems ?Cyber Threats for Business

2© 2017 IBM Corporation

Agenda

� Video - Hacked

� Threats to consider & Solutions – Social Engineering and Phishing– Massive Cyber Attacks – Internet of Things – Distributed Denial of Service (DDoS) Attacks

� Conclusions

� Questions


Video

An example of a System Compromise and what could be the outcome ….....

URL: https://www.youtube.com/watch?v=nG36lKhy7ko

8 sec to 3 minutes 56 seconds


SOCIAL ENGINEERING AND PHISHING


Spear Phishing

� Phishing scam targeting a single company or organisation

� Attacks have a specific aim - to gain access to your internal systems

� Many so-called APT or Targeted attacks use this as one of their main attack vectors

� This is made easier by the vast amount of data most people give away via social media sites and services


Spear Phishing

� Spear phishing emails: 70% open rate, 3% for mass spam emails

� Further, 50% of recipients who open spear phishing emails also click on links, which is 10 times the rate for mass mailings

� Compared to broad-based emails, spear phishing costs 20 times more per individual targeted

� However, the average return from each spear phishing victim is 40 times more than that of phishing.

� A spear phishing campaign comprised of 1,000 messages is likely to generate 10 times the revenue of a phishing mailing targeting 1 million individuals

Spear Phishing Success

�70% open emails�50% click on links�40 times the return on

investment for threat actors when compared to standard phishing runs for a single target


IBM showed, that using the human element as an attack vector, it was possible to circumvent system security.

IBM demonstrated that a determined hacker can get around filters and antivirus deployed in an organization

� Business Challenge:– Test if it was possible to reach internal SCADA

network from the Internet, using a spear phishing attack via e-mail

� What We Did:– Client had secure mail filtering system, preventing

e-mail attacks generated by any standard framework, on the Internet

– IBM designed a malicious mail-campaign, using a manual approach, tailored to circumvent the filters

– Large percentage of the staff were tricked into giving up their intranet credentials and several staff were lured into installing backdoors on workstations

– This allowed IBM full access to the intranet from the outside, and by pivoting off compromised workstations. Access included sensitive fileshares / documents and access to SCADA Web interfaces

Penetration Testing Win Story: Utility Middle East


Phishing – Ponemon 2015 Phishing Study

� Security Education Improves Phishing Defense by 64% and Delivers 50X Return on Investment

- According to Independently Conducted Ponemon Study

� Even automated training programs costing < £5 per staff member, organizations could see a ROI of 20 to 50 times that amount

Without Training – The costs and impact is frighteni ng!


MASSIVE CYBER ATTACKS


Massive Cyber Attacks – Shamoon2 and StoneDrill


� Lessons learnt:– No evidence of data exfiltration purpose of the malware was to cause

widespread disruption / destruction of computer networks– When Saudi Aramco was breached in 2012, Shamoon destroyed close

to 40,000 computers took two weeks to recover– Reason latest breach “poor adherence to security protocol ……the

need for better education, such as teaching staff not to click on links in suspicious emails !”

� Questions to ask yourselves:– How quickly could your business Recover from this type of Attack? – Would it be quick enough for the business to survive?– How often do you have off line backups taken?

Recovering from a Massive Cyber Attack

Could this happen to you AND business survive impac t?


INTERNET OF THINGS (IOT) PARADISE FOR HACKERS !


The Internet of Things!


Healthcare

• ICS-CERT reported that around 300 machines from 40 vendors have hard coded passwords…These include:

• Pacemakers• Surgical and anesthesia devices• Ventilators• Drug infusion pumps• External defibrillators• Patient monitors• Laboratory and analysis equipment• Drug control systems• Patient records• Surgery robots (tele operated)


Critical Infrastructure - Airplanes

• IP connectivity used in aircraft systems

• Wifi, plane Apps. In-Flight Entertainment systems - popular

• Creating the possibility that unauthorized individuals might access and compromise aircraft avionics systems


IBM showed that integrated tests can identify flaws that would not be identified on individual tests.

The customer improved security by having end-to-end testing of their solution.

� Business Challenge:– The company wanted IBM to test new connected car

solution prior to release in Europe

� What We Did:– IBM analysed hardware and firmware on the device

implanted in the car– Tests on the full scope of the solution, from the mobile

application to the GPRS/GSM communication of the device to the backend

� Benefits:– The integrated view allowed the identification of

vulnerabilities and corresponding business impact that would not be identified if components were to be tested individually

– The client was able to improve the security of the solution before it went to market, avoiding a public image problem

Penetration Test Win Story: Car manufacturer


DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS


Distributed Denial of Service (DDoS ) Attack

• ICMP (Ping Flood) aka “Smurf Attack”

• Lots of other DDoS methods

• Easy and cheap to carry out, just need willing volunteers or a Botnet

"From a philosophical perspective, if the attacker's pipe is bigger than the defender's pipe, the attacker can always knock out the defender "

- Bruce Schneier


DDoS Generated by Internet of Things !

� Massive DDoS 1.2Tbps from 100,000 malicious endpoints

� Mirai botnet of IoT devices such as digital cameras and DVR

� DDoS can be a Smoke Screen for something else bad that is “about to happen” or has “just happened”

� Solutions� Plan ahead for this event� Test solutions you have

bought


X-Force Red DDoS Testing Solution

� This solution has been used in many customers engagement with 100% a success rate i.e. System becomes unreachable

� Currently, attacks of 20 Gbps have been conducted � Clients in all Geography's have used service� Uses IBM Distributed Cloud Service Bluemix


Conclusions

� Phishing and Social engineering will happen and best defence is User Awareness Education

� Start planning now so you can survive massive cyber attack

� If you use OR even more importantly build any IoT then do get it security tested before a Third Party does

� DDoS is a pain, prepare in advance and always check and keep those logs


Questions ?

ibm.com/security

securityintelligence.com

xforce.ibmcloud.com

@ibmsecurity

youtube/user/ibmsecuritysolutions

© Copyright IBM Corporation 2016. All rights reserv ed. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective.

IBM DOES NOT WARRANT THAT ANYSYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

FOLLOW US ON:

THANK YOU

Documents

Cyber Threats for Business - IBM · 2017-03-21 · • ICS-CERT reported that around 300 machines from 40 vendors have hard coded passwords…These include: • Pacemakers • Surgical