Upload
john-paul-valenzuela
View
34
Download
0
Embed Size (px)
Citation preview
CSC Security DeckJohn Paul ValenzuelaBusiness Development Manager, South East Asia
Page 2
What’s in a Digital Brand?
DIGITAL ASSETS
Domains
DNS
DigitalCertificates
SocialMedia
Handles
MobileApps
DIGITALBRAND
Page 3
Digital Brand – Cyber Threats
DDoS ATTACKS
Cyber Criminals
“Hacktivists”
DIGITALASSETS
MALWAREPHISHING
SQL INJECTIONSOCIAL HIJACKING
DOMAIN HIJACKING
Page 4
Digital Assets
Who has a company issued laptop or cell phone?
Does it have a serial number that is logged?
Would you agree the business sees that as an asset and documents it appropriately?
Do you treat your digital assets the same way?
Page 5
POTENTIAL THREATSDOMAIN HIJACKINGDOMAIN SHADOWING
Domains
Page 6
Domain Management Challenges
Many companies don’t document their digital assetsIf you don’t know what you have, how do you manage it?How do you enforce policy?How do you make sense of the data? (email feeds, domains, SSLs, social media)
Disparate portfolio managementMultiple vendors causes inefficiency and confusion
• Poor asset management leading to missed renewals• Many sets of credentials to worry about• Increased risk of phishing attack success
No increased purchasing power
Page 7
Threat: Domain Shadowing
Source: CSO Online
Page 8
Threat: Domain Shadowing
Makes phishing attacks look more authenticUses compromised registrant credentialsDifficult to stop Subdomains are high volume, short lived, and random, with no discernible patternsMakes blocking increasingly difficultDirects users to the Angler Exploit Kit
Domain shadowing: when a bad actor hacks and creates sub-domains from your domain
Example: online.cscglobal.com
Page 9
How Can I Reduce the Risk?
Create a domain name policy:
1. Define goals
2. Assign roles and responsibilities
3. Determine strategy
4. Outline processes for availability searches, registrations, renewals, and transfers
5. Establish monitoring, escalation, and enforcement mechanisms
6. Identify budget
7. Create standards
8. Set DNS controls
9. Define reporting
10. Create a policy and compliance review process
Page 10
Key Takeaways
SecurityTwo-factor authenticationRegistry lockEmail protection (DMARC/DKIM/SPF)IP validation
User ManagementWho has access to the digital assets?• Carry out regular user reviews (people move or leave)• User access – do they really need access?• Federated identity – reduce risk of not notifying a vendor
Phishing Awareness TrainingInternally, who has phishing awareness training?Do you test them?
Page 11
POTENTIAL THREATSDDoS ATTACKS(Distributed Denial of Service)
MALWAREDNS
Page 12
DDoS Attacks – Examples
Source: The Register Source: BBC
Page 13
DDoS Attacks – The Risk
Distributed Denial of Service is a common technique to flood your servers with traffic, which in turn “jams” your network [gridlock]
Page 14
DDoS Attacks – A growing threat
85% year over yearDDoS attack activity increased
Source: VeriSign DDoS Trends Report
In the last 2 weeks of January 2016…• 52 mainstream DDoS attacks (many more not reported)• Attacks on government, public, and private sector businesses• They were all powerless to defendSource: http://www.hackmageddon.com
500 Gbps(latest reported size)
31+ full-length 1080p(HD) movies of data per second! What size attack can your organization withstand?
Source: http://www.hackmageddon.comSource: http://filecatalyst.com/todays-media-file-sizes-whats-average
Page 15
DNS/DDoS Attacks – The Impact
18 hoursAverage network outage/disruption timeSource: CIO Insight
$105,710Average cost of 1 hour of down timeSource: CIO Insight
Estimated average annualcost to businesses from DDoS attacks
Source: The Ponemon Institute
$126,153
Page 16
War Games!
PressENTER
to launchATTACK
CLICK TO PLAY
Page 17
50% of businesses worldwide
have no countermeasures against DDoS attacks
Source: IT Pro
Page 18
How Can I Reduce the Risk?
Evaluate current DNS platform – is it suitable and robust enough to withstand DDoS attacks?
Consolidate all domain names onto a single DNS platform
Consider DDoS protection/mitigation service
Consider DNSSEC to combat spoofing/man in the middle attacks
Page 19
POTENTIAL THREATSMALWAREESPIONAGE
SSLs
Page 20
of Global 2,000 companies admit to not having an accurate accounting of
their SSL certificates
*Source: Ponemon Institute, “2013 Annual Cost of Failed Trust Report: Threats and Attacks”
51%
Page 21
Why Is It So Hard to Keep Track?
Responsibility for SSL certificates often spread around the business and around the world
Disparate technology groups and standards
SSL certificates often with numerous providers
Page 22
SSL Risks – Expired Certificates
If you don’t have a grasp of what you own, along with a tight management and renewal process, this can happen:
Page 23
Expired Certificate Examples
Page 24
Expired Certificate Examples
Page 25
Expired Certificates – Impact
“The average Global 5,000 company spends
about $15 million to recover from the loss of business due to a
certificate outage—and faces another
$25 million in potential compliance impact.”
Source: CSOonline.com
Page 26
How Can I Reduce the Risk?
Audit to get a thorough accounting of all existing certificates
Cross-reference with live sites
Consolidate onto one platform for easier management
Develop and implement a policy and process to ensure that all certificates are managed as necessary
Page 27
POTENTIAL THREATSSOCIAL HIJACKING
Social Media handles
Page 28
Social Media Handles – The Challenges
Social media handles are like domain names 10 years ago…
No company policiesLittle to zero protection for TM holdersFirst come, first served
It’s the Wild, Wild West all over again.
Page 29
Social Media Handles – The Risks
INTERNAL: Managing access to social media handles
What happens if the user leaves the company?How protected are credentials?
EXTERNAL:Hacking of social accounts via comprised credentials
Third parties creating fake accounts to target your brand
Job scamsInfringementsCorporate disparagement
Page 30
Fake Social Media Accounts
Researchers have spotted fake social buttons plugins that attackers are using to compromise websites
and redirect visitors to the Angler exploit kit.Source: grahamcluley.com
“Cybersecurity researchers have uncovered a network of fake LinkedIn profiles, which they suspect were being used by hackers in Iran to build relationships with potential victims around the world.”Source: The Wall Street Journal
Page 31
Social Media Hacking and Hijacking - Examples
Page 32
How Can I Reduce the Risk?
Manage the handles as you would other digital assets
Develop and maintain an inventory of social media handles
Find a secure online repository
Determine registration strategy (part of domain policy)
Limit access to usernames/passwords
Change passwords on frequent basis
Monitor activity on social networks – what are staff doing as well as third parties
update image
Page 33
Mobile Apps
POTENTIAL THREATSSOCIAL HIJACKINGMALWARE
Page 34
Mobile Apps – A Growing Channel
89%of mobile-user time is spent using apps, as opposed to
just 11% spent accessing media through the mobile web.Source: Nielson
Total app revenues are projected to grow from
Source: http://www.businessofapps.com/app-revenue-statistics/$45,37B in 2015 to $76.52B in 2017
Page 35
Mobile Apps – Challenges & Risks
ChallengesSimilar to social media (WWW = Wild, Wild West)
Third parties can publish mobile apps to target a brand’s customers (e.g. malapps)Manage of these assets as they grow in usage
RisksMalware PhishingFake apps/trademark infringementCounterfeiting
Page 36
Mobile Apps – Threats
9 million of the 120 million apps over multiple app stores around the globe contained malware.Source: McAfee
11%of the 350K apps that reference ‘banking’ across
global app stores contain malware or suspicious code.Source: RiskIQ
Over half of companies devote zero budget to mobile security.Source: Security Intelligence/Ponemon Institure
Page 37
Mobile App Abuse - Examples
Page 38
How Can I Reduce the Risk?
Develop and maintain an inventory of authorized mobile apps (in order to quickly identify unauthorized apps that require investigation and action)
Monitor the major app stores to quickly detect infringements and take rapid enforcement action
Page 39
POTENTIAL THREATSPHISHINGMALWAREFRAUDSPOOFING
Page 40
Phishing/Email Fraud Challenges
30%of consumers prefer email communications over phone, text, post or social media.Source: http://tsys.com/2015USConsumerResearch/
97%of people globally can’t correctly identify
a sophisticated phishing email.Source: Intel
45% conversion rateEmail fraud has up to a
Source: Google
Page 41
Email Fraud – The Impact
Phishing costs brands worldwide
$4.5 billion each yearSource: The Economics of Spam," Journal of Economic Perspectives
Customers are 42% less likelyto do business with you after a phishing attack,
regardless of whether they were actually fooled.Source: http://www.magillreport.com/Phishing-Threatens-Your-Brand-More-than-You-Think-Return-Path/
82 secondsmedian time from email received to first clickSource: https://info.wombatsecurity.com/blog/infographic-what-impact-does-phishing-have-on-your-business
Page 42
Phishing Attacks - Examples
Page 43
In a survey of more than 1,000 global brands across 33 countries,
Source: ReturnPath
only 22%of companies were publishing
a DMARC record
Page 44
How Can I Reduce the Risk?
Provide staff training to identify phishing emails and to report them immediatelyEmpower employees to say “No” to requests for data and money from senior leadershipSubscribe to Email Fraud Protection (service that provides both Email Governance and Threat Intelligence) Apply SPF, DKIM, and DMARC on your sending domains Monitor the email channels (honey pots, abuse feeds) for phishing emails targeting your brandSubscribe to a takedown service to remove and blacklist offending URLsUse a robust Domain Name Monitoring service to identify registered typo domains that could be used for phishing
Page 45
Why Does Security Matter to You?
You are often making decisions that will impact your brand!
We are now managing digital assets, which are valuable, and bad actors want to exploit them.
The business needs your help!
Question: Who thinks security is just the job of IT?
Page 46
Who Makes the Decisions?
Advent of domains
IT Increase in infringements
Legal
Growth in eCommerce
MarketingIncrease in cyber attacks
CISO
FUTURE:Multi-stakeholder approach
Page 47
How can I reduce the risk?The CSC Digital Optimization Plan
Page 48
Checklist
Consolidate all domain names onto a single DNS platform Consider DDoS protection/mitigation service Consider DNSSEC to combat spoofing/man-in-the-middle attacks User review - Ensure access to critical in-house and third-party systems
(domains, DNS, etc.) is correct Employ two-factor authentication (IP validation or token based security)
on these systems Place critical domains on registrar/registry lock (CSC MultiLock) Train staff with system access on social engineering awareness Ensure your third-party providers are employing two factor authentication
and providing social engineering awareness Employ third-party phishing detection and takedown solution Employ email fraud prevention solution and apply a DMARC policy on
your sending domains Educate your customers!