Internal Vulnerabilities - A Case Study of Several Organizations’ Pen Test Results

Bryan Zoll, CISASupervisor, Marcum LLP 10 years of professional experience in IT Key Industries:

o Healthcareo Financial Serviceso Insurance

Areas of Expertise:o Cybersecurityo Regulatory Compliance (HIPAA/HITECH, SOX 404, etc.)o Internal Controlso Business Continuity and Disaster Recoveryo System Develop Live Cycle / Implementation

Discussion Topics: Analysis of Cybersecurity Engagement Results

o Vulnerability Scanningo Social Engineering

• Why Social Engineering Attacks Are Successful How Internal Vulnerabilities and Social Engineering are Related?

o Avoiding the Perimetero Risk Implications

Recent Trendso Ransomwareo Internet of Things (IoT)

What can Organizations do to Protect Themselves?o Continuous Cybersecurity Awareness Training and Assessmentso Vulnerability Management Programo Business Continuity and Disaster Recovery

Primer Vulnerability Scanning – the act of using software to scan

network devices to identify if and where a system can be exploited and compromised

Penetration Testing – the act of testing weaknesses in network devices to obtain unauthorized access to programs and data

Social Engineering – the act of manipulating people into performing actions or revealing information that could lead to unauthorized logical or physical access to programs and data

VULNERABILITY SCANNING ANALYSIS

Vulnerability Scanning – Key Metrics Marcum scanned a total of 2,059 IP addresses A total of 22,351 vulnerabilities were identified:

Low10%

Critical17%

Medium39%

High34%

Vulnerabilities

Vulnerability Score Breakdown:Low – 2,211Medium – 8,606High – 7,636Critical – 3,898

Equates to approximately 11 vulnerabilities per IP Address

Key Metrics (cont.)

There were 11,811 (~53%) vulnerabilities identified that could have been resolved by applying a patch, upgrade, or being on a supported O/S or application:1. Printer software updates2. Unsupported O/S or application version

SOCIAL ENGINEERING ANALYSIS

Social Engineering

Social Engineering

Social Engineering – Key Metrics

Marcum sent Phishing emails to 1,226 targets 163 (~13%) targets failed:

o 163 targets clicked on the embedded link in the emailo 121 users performed some type of solicited action:

• Download a file• Perform a security update• Submit User ID and password information

Why Social Engineering Attacks are Successful Humans are the weakest link in the Security chain

Social Engineering attacks can be customized to target human emotions

In 2002, Kevin Mitnick wrote that Social Engineering is based on 6 human tendencies:o Authorityo Natural Tendency to be Helpfulo Liking and Similarityo Reciprocationo Commitment and Consistencyo Low Involvement

Most Organizations do not have security awareness programs in place

HOW INTERNAL VULNERABILITIES AND SOCIAL ENGINEERING ARE RELATED?

Avoiding the Perimeter Hacking the perimeter takes time:

o Firewallso Intrusion Detection/Prevention Systemso Dynamic Perimeters / Moving Target Defense

With a shorter amount of time a hacker has for reconnaissance and vulnerability identification, the less likely it is an attack will be successful

Successful Social Engineering attacks allow external hackers to avoid perimeter defenses!o Allows direct access to internal devices where poor security management is

present

Risk Implications Hackers can use compromised machines as pivot points to launch further attacks

internally:o IP traffic for these attacks originate internally; won’t be detected by any network perimeter

devices (firewalls, IPS/IDS, etc.)

Various programs can be installed (i.e. keyloggers)

Unauthorized access to programs and data

Unauthorized disclosure of information

Damage to Reputation:o Sonyo Aetnao Home Depot

RECENT TRENDS

Ransomware Definition – Malicious attack designed to limit or restrict access to

computer resources until a ransom is paid

Healthcare is at war!o Titus Regional Medical Center (TX) - Januaryo Hollywood Presbyterian Medical Center (CA) - Februaryo Methodist Hospital (KY) – Marcho MedStar Health (MD / D.C.) – March

Paying the ransom:o TOR – The Onion Routero BitCoins

TrendMicro & McAfee “2016 is the year of online extortion”

Internet of Things (IoT) Definition – Collection of devices that allow network connectivity for the collection

and exchanging of data

What’s the catch?o Open ports in firewall to allow exchange of informationo Device Security

• What attacks is this device vulnerable to?• Will the vendor release security updates?• Was the vendor security-conscious when coding?

Risk of being compromised?o Organizations need to account for IoT in corporate risk assessments

IoT allows objects to be sensed and controlled remotely across existing network infrastructureo Famous Jeep Hack

WHAT CAN ORGANIZATIONS DO TO PROTECT THEMSELVES?

Continuous Cybersecurity Awareness Training and Assessments

Conduct Security Awareness Training – OFTENo Posted reminders of cybersecurity threats (i.e. about phishing

emails)o Quarterly memos about current security trends threatening

the Organizationo Annual acknowledgement of cybersecurity policies and

procedures Perform Penetration Testing at least annually Perform Vulnerability Assessments on a quarterly or

annual basis or a changes are performed in network infrastructure

Vulnerability Management Program

Identify vulnerabilities in your Organization Classify and log vulnerabilities through risk ranking

o Common Vulnerability Scoring System (CVSS)o Exposure

Remediate vulnerabilities through a developed plan Mitigate vulnerabilities to acceptable levels

o Subnettingo Application Layer Firewalls

NIST-SP-800-40r3 – Guide to Enterprise Patch Management Technologies

NIST-SP-800-123 – Guide to General Server Security

Business Continuity & Disaster Recovery

Include the scenario of a cyber attack in your BC / DR planning

Define Recovery Time Objectives (RTO) and more importantly Recovery Point Objectives (RPO)

Ensure Security Incident Response Plans are tested and updated periodically

Our PartnersADNET proudly partners with leading technology and business solution providers to help our clients find the best possible fit for their needs. We encourage you to visit our partners' websites to learn more about their services.

@ADNETTech

@ADNETTechnologiesLLC

@ADNETTechnologiesLLC

www.thinkADNET.com

@MarcumLLP

@Marcum-LLP

@MarcumLLP

www.marcumllp.com