Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
© 2017 IBM Corporation
Ray EvansRegional Leader of EMEA, X-Force Red
Who is really in control of our Systems ?Cyber Threats for Business
2© 2017 IBM Corporation
Agenda
� Video - Hacked
� Threats to consider & Solutions – Social Engineering and Phishing– Massive Cyber Attacks – Internet of Things – Distributed Denial of Service (DDoS) Attacks
� Conclusions
� Questions
3© 2017 IBM Corporation
Video
An example of a System Compromise and what could be the outcome ….....
URL: https://www.youtube.com/watch?v=nG36lKhy7ko
8 sec to 3 minutes 56 seconds
4© 2017 IBM Corporation
SOCIAL ENGINEERING AND PHISHING
5© 2017 IBM Corporation
Spear Phishing
� Phishing scam targeting a single company or organisation
� Attacks have a specific aim - to gain access to your internal systems
� Many so-called APT or Targeted attacks use this as one of their main attack vectors
� This is made easier by the vast amount of data most people give away via social media sites and services
6© 2017 IBM Corporation
Spear Phishing
� Spear phishing emails: 70% open rate, 3% for mass spam emails
� Further, 50% of recipients who open spear phishing emails also click on links, which is 10 times the rate for mass mailings
� Compared to broad-based emails, spear phishing costs 20 times more per individual targeted
� However, the average return from each spear phishing victim is 40 times more than that of phishing.
� A spear phishing campaign comprised of 1,000 messages is likely to generate 10 times the revenue of a phishing mailing targeting 1 million individuals
Spear Phishing Success
�70% open emails�50% click on links�40 times the return on
investment for threat actors when compared to standard phishing runs for a single target
7© 2017 IBM Corporation
IBM showed, that using the human element as an attack vector, it was possible to circumvent system security.
IBM demonstrated that a determined hacker can get around filters and antivirus deployed in an organization
� Business Challenge:– Test if it was possible to reach internal SCADA
network from the Internet, using a spear phishing attack via e-mail
� What We Did:– Client had secure mail filtering system, preventing
e-mail attacks generated by any standard framework, on the Internet
– IBM designed a malicious mail-campaign, using a manual approach, tailored to circumvent the filters
– Large percentage of the staff were tricked into giving up their intranet credentials and several staff were lured into installing backdoors on workstations
– This allowed IBM full access to the intranet from the outside, and by pivoting off compromised workstations. Access included sensitive fileshares / documents and access to SCADA Web interfaces
Penetration Testing Win Story: Utility Middle East
8© 2017 IBM Corporation
Phishing – Ponemon 2015 Phishing Study
� Security Education Improves Phishing Defense by 64% and Delivers 50X Return on Investment
- According to Independently Conducted Ponemon Study
� Even automated training programs costing < £5 per staff member, organizations could see a ROI of 20 to 50 times that amount
Without Training – The costs and impact is frighteni ng!
9© 2017 IBM Corporation
MASSIVE CYBER ATTACKS
10© 2017 IBM Corporation
Massive Cyber Attacks – Shamoon2 and StoneDrill
11© 2017 IBM Corporation
� Lessons learnt:– No evidence of data exfiltration purpose of the malware was to cause
widespread disruption / destruction of computer networks– When Saudi Aramco was breached in 2012, Shamoon destroyed close
to 40,000 computers took two weeks to recover– Reason latest breach “poor adherence to security protocol ……the
need for better education, such as teaching staff not to click on links in suspicious emails !”
� Questions to ask yourselves:– How quickly could your business Recover from this type of Attack? – Would it be quick enough for the business to survive?– How often do you have off line backups taken?
Recovering from a Massive Cyber Attack
Could this happen to you AND business survive impac t?
12© 2017 IBM Corporation
INTERNET OF THINGS (IOT) PARADISE FOR HACKERS !
13© 2017 IBM Corporation
The Internet of Things!
14© 2017 IBM Corporation
Healthcare
• ICS-CERT reported that around 300 machines from 40 vendors have hard coded passwords…These include:
• Pacemakers• Surgical and anesthesia devices• Ventilators• Drug infusion pumps• External defibrillators• Patient monitors• Laboratory and analysis equipment• Drug control systems• Patient records• Surgery robots (tele operated)
15© 2017 IBM Corporation
Critical Infrastructure - Airplanes
• IP connectivity used in aircraft systems
• Wifi, plane Apps. In-Flight Entertainment systems - popular
• Creating the possibility that unauthorized individuals might access and compromise aircraft avionics systems
17© 2017 IBM Corporation
IBM showed that integrated tests can identify flaws that would not be identified on individual tests.
The customer improved security by having end-to-end testing of their solution.
� Business Challenge:– The company wanted IBM to test new connected car
solution prior to release in Europe
� What We Did:– IBM analysed hardware and firmware on the device
implanted in the car– Tests on the full scope of the solution, from the mobile
application to the GPRS/GSM communication of the device to the backend
� Benefits:– The integrated view allowed the identification of
vulnerabilities and corresponding business impact that would not be identified if components were to be tested individually
– The client was able to improve the security of the solution before it went to market, avoiding a public image problem
Penetration Test Win Story: Car manufacturer
18© 2017 IBM Corporation
DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS
19© 2017 IBM Corporation
Distributed Denial of Service (DDoS ) Attack
• ICMP (Ping Flood) aka “Smurf Attack”
• Lots of other DDoS methods
• Easy and cheap to carry out, just need willing volunteers or a Botnet
"From a philosophical perspective, if the attacker's pipe is bigger than the defender's pipe, the attacker can always knock out the defender "
- Bruce Schneier
20© 2017 IBM Corporation
DDoS Generated by Internet of Things !
� Massive DDoS 1.2Tbps from 100,000 malicious endpoints
� Mirai botnet of IoT devices such as digital cameras and DVR
� DDoS can be a Smoke Screen for something else bad that is “about to happen” or has “just happened”
� Solutions� Plan ahead for this event� Test solutions you have
bought
21© 2017 IBM Corporation
X-Force Red DDoS Testing Solution
� This solution has been used in many customers engagement with 100% a success rate i.e. System becomes unreachable
� Currently, attacks of 20 Gbps have been conducted � Clients in all Geography's have used service� Uses IBM Distributed Cloud Service Bluemix
22© 2017 IBM Corporation
Conclusions
� Phishing and Social engineering will happen and best defence is User Awareness Education
� Start planning now so you can survive massive cyber attack
� If you use OR even more importantly build any IoT then do get it security tested before a Third Party does
� DDoS is a pain, prepare in advance and always check and keep those logs
23© 2017 IBM Corporation
Questions ?
ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2016. All rights reserv ed. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective.
IBM DOES NOT WARRANT THAT ANYSYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
FOLLOW US ON:
THANK YOU