Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Hacker risks presentation to ACFE PR Chapter
1. Is XXI century Fraud Hacking?
ACFE Puerto Rico Chapter
Presented by: Enrique
Gonzalez
Jose Arroyo
Jose Quinones
2. IT Terminologies
• Threat – potential danger to information or systems
• Vulnerability – absence of a safeguard or weakness providing an
opportunity for attack
• Attack – attempt to exploit a vulnerability or violate a security policy,
mechanism or control
• Breach – successful attack with or without detection
• Exposure = (vulnerability + likelihood of attack – number of instances
of being exposed to a loss from a threat agent)
2
3. Facts
• Internet has grown very fast and security has
lagged behind.
• It is hard to trace the perpetrator of cyber
attacks since the real identities are
camouflaged
• It is very hard to track down people because
of the ubiquity of the network.
• Large scale failures of internet can have a
catastrophic impact on the economy which
relies heavily on electronic transactions
4. Computer Crime _the Beginning
• In 1988 a "worm program" written by a
college student shut down about 10 percent
of computers connected to the Internet. This
was the beginning of the era of cyber attacks.
• Today we have about 70K of incidents of cyber
attacks which are reported and the number
grows.
5. Computer Crime- 1994
• A 16-year-old music student called Richard Pryce,
better known by the hacker alias DataStream
Cowboy, is arrested and charged with breaking
into hundreds of computers including those at the
Griffiths Air Force base, Nasa and the Korean
Atomic Research Institute. His online mentor,
"Kuji", is never found.
• Also this year, a group directed by Russian
hackers broke into the computers of Citibank and
transferred more than $10 million from customers'
accounts. Eventually, Citibank recovered all but
$400,000 of the pilfered money.
6. Computer Crime- 1995
• In February, Kevin Mitnick is arrested for a second
time. He is charged with stealing 20,000 credit card
numbers. He eventually spends four years in jail and on
his release his parole conditions demand that he avoid
contact with computers and mobile phones.
• On November 15, Christopher Pile becomes the first
person to be jailed for writing and distributing a
computer virus. Mr Pile, who called himself the Black
Baron, was sentenced to 18 months in jail.
• The US General Accounting Office reveals that US
Defense Department computers sustained 250,000
attacks in 1995.
7. Computer Crime- 1999
• In March, the Melissa virus goes on the
rampage and wreaks havoc with computers
worldwide. After a short investigation, the FBI
tracks down and arrests the writer of the
virus, a 29-year-old New Jersey computer
programmer, David L Smith.
• More than 90 percent of large corporations
and government agencies were the victims of
computer security breaches in 1999
8. Computer Crime- 2000
• In February, some of the most popular websites in
the world such as Amazon and Yahoo are almost
overwhelmed by being flooded with bogus
requests for data.
• In May, the ILOVEYOU virus is unleashed and
clogs computers worldwide. Over the coming
months, variants of the virus are released that
manage to catch out companies that didn't do
enough to protect themselves.
• In October, Microsoft admits that its corporate
network has been hacked and source code for
future Windows products has been seen.
9. Computer Crime- 2000-07
• March 2005 - Bank of America
– 1,200,000 lost social security and account numbers were
lost
• May 2006 - Veteran’s Administration
– 26,500,000 social security numbers and DOB were lost when
a laptop was stolen
• January 2007 - TJ Maxx
– 47,500,000 credit card numbers were stolen by hackers
taking advantage of unencrypted wireless network in
parking lot
11. Why do Hackers Attack?
• Because they can!!!!!!!!!!
• A large fraction of hacker attacks have been
pranks
• Financial Gain
• Espionage
• Venting anger at a company or organization
• Terrorism
12. Types of Hacker Attack
• Active Attacks
– Denial of Service
– Breaking into a site
• Intelligence Gathering
• Resource Usage
• Deception
• Passive Attacks
– Sniffing
• Passwords
• Network Traffic
• Sensitive Information
– Information Gathering
13. Modes of Hacker Attack
• Over the Internet
• Over LAN
• Locally
• Offline
• Theft
• Deception
14. Spoofing
Definition:
An attacker alters his identity so that some one
thinks he is some one else
Email, User ID, IP Address, …
Attacker exploits trust relation between user and
networked machines to gain access to machines
Types of Spoofing:
IP Spoofing:
Email Spoofing
Web Spoofing
15. Denial of Service (DOS) Attack
• Definition:
• Attack through which a person can render a system unusable
or significantly slow down the system for legitimate users by
overloading the system so that no one else can use it.
• Types:
– Crashing the system or network
• Send the victim data or packets which will cause system to
crash or reboot.
– Exhausting the resources by flooding the system or network with
information
• Since all resources are exhausted others are denied access to
the resources
– Distributed DOS attacks are coordinated denial of service attacks
involving several people and/or machines to launch attacks
16. Password Attacks - Process
• Find a valid user ID
• Create a list of possible passwords
• Rank the passwords from high probability to low
• Type in each password
• If the system allows you in – success !
• If not, try again, being careful not to exceed
password lockout (the number of times you can
guess a wrong password before the system shuts
down and won’t let you try any more)
17. Password Attacks – Types
• Dictionary Attack
– Hacker tries all words in dictionary to crack password
– 70% of the people use dictionary words as passwords
• Brute Force Attack
– Try all permutations of the letters & symbols in the alphabet
• Hybrid Attack
– Words from dictionary and their variations used in attack
• Social Engineering
– People write passwords in different places
– People disclose passwords naively to others
• Shoulder Surfing
– Hackers slyly watch over peoples shoulders to steal passwords
• Dumpster Diving
– People dump their trash papers in garbage which may contain information
to crack passwords
18. Study Findings
• 30% of users chose passwords whose length is
<= 6 characters
• 60% of users use limited set of alpha-numeric
characters
• 50% of users use names, slang words,
dictionary words, or simple key sequences
• In just 110 attempts, a hacker would typically be
able to gain access to one new account every
second, or 17 minutes to break 1000 accounts
http://www.imperva.com/docs/WP_Consumer_Password_Worst_Practic
23. Who is causing the buzz?
• The amount of data that can be capture from
just doing an Internet search
• The inability of corporate employees to
identify a social engineering attack
• The easy access intruders have to both
physical and virtual data through the use of
Social Engineering
35. Identity Theft
• When someone uses your personal
information without your permission to
commit fraud or other crime
– Name
– Social Security number
– Date of birth
– Credit card number
– Bank account numbers
40. Scrap Paper
• March 10, 2008
• School teacher purchases box of scrap paper
for her fourth grade students - $20
• What she really gets?
• Medical records of 28 hospital patients!
41. Medical ID Theft
• April 2007, Salt Lake City
• Woman delivers a baby at a local hospital
• …then abandons it!
• Baby tests positive for methamphetamine
• Hospital identifies mother as Anndorie Sachs and tracks her
down
• Anndorie says she did not have a baby recently
• DCFS threatens to take away her other 4 children, aged 2-7
42. Medical ID Theft (cont)
• Good news
– Accusations were dropped
– Anndorie was absolved of paying the bill
• Bad news
– Anndorie’s medical records were altered to show the blood type and
medical record of a complete stranger
– Anndorie has a blood clotting disorder
– The hospitals insist that they have fixed the issue, but Anndorie can’t
be sure because they need to PROTECT the PRIVACY of the IDENTITY
THIEF!
43. Protect your sensitive information
• Shred pre-approved credit
offers, receipts, bills, other
records that have SSN
• Do not provide CC#, SSN, etc.
out over email
• Do not click on links in
unsolicited emails
48. Open Access
• Misconfigured share folders on a network can
become a source for data leak.
• A common error of the system administrators is
to give more privileges to users than they need.
– This breaks the least privilege principle and has
consequences.
• Wireless access
– Captive portals give a false sense of security
– The encryption is as good as its password
49. Excessive Permissions
• Everyone: Full Control
– Often developers code as a full admin on their
station and do not take into account restricted
users.
• Combination of Share Permissions and File
Permissions is often misconfigure
• dbo privileges on the database for regular
users
• Firewall rules
50. How data can be protected?
• Proper File an share permissions
– Don’t use Everyone or Users groups
– Adhere to least privilege principle
• Group Policy Objects (GPO) are you friends
– Activate Audits Objects and Processes
– Configure Logging
– Tracking
• Monitor your data
– IDS/IPS
– DPI
53. Encryption
• During Transmission
– VPN
– Secure Shell
– Tunneling
• At rest
– File Encryption (EFS, File Vault, etc.)
– Full drive encryption (Bit Locker, Truecrypt, etc.)
• It also can be used by the bad guys
56. Track your data
• Embed a URI or <web
bug>
• Digital Rights
Management
• Traffic/Network FLOWs
• Deep Packet Inspection
• SSL proxy
57. After the fact, what do you do?
• How identify an incident
• Incident Handling Process
• Live vs Dead Analysis
58. Incident vs Event
• Event: Observable, measurable occurrences
on our systems. It can be something that
happened to someone who saw it, or was
recorded by a log or audit file on a device.
• Incident: actions that result in harm or the
significant threat of harm to the information
systems or data in the organization
60. Live Analysis
• Live Analysis
– Memory Dump
– Live Disk Imaging
– Network Status/Capture
– System State
• Dead Analysis
– Pull the plug
– Disk imaging
– Image analysis
61. Why live analysis should always be
considered?
• RAM only processes
– Metasploit Meterpreter
• RAM disks
– /dev/shm
– ImDisk
• Network Connections
– Open transfers
– Networked shares like SMB/NFS or SSHFS
– Tunneling
62. So …
• Your data is the most important asset in the
organization and “others”
• You have to do your best effort to protect your
assets but sometimes your best is not enough
• Be prepared to fail, learn from it and keep
your mind open to possibilities
63. How many of you...
…have your Social Security card in
your wallet or purse
right now?
64. Due Care and Due Diligence
• Due Care: Steps taken to show that a company has taken
responsibility for the activities that occur within the corporation
and has taken the necessary steps to help protect the company, its
resources, and employees.
• Due Diligence: The process of systematically evaluating
information to identify vulnerabilities threats, and issues relating to
an organization’s overall risk.
• Example:
– Due care: Installing Antivirus software
– Due diligence: Keeping Antivirus signatures updated
64
65. 65
Examples of Major Computer Crime Laws
• PATRIOT Act
• Electronic Communications Privacy Act
• Computer Fraud and Abuse Act
• National Infrastructure Protection Act of 1997
• Computer Security Act of 1987
• Computer Crime Research Center (http://www.crime-
research.org/legislation/)
• Council Of Europe - Convention On Cybercrime (Ets
No. 185)
• Convention On Cybercrime (Budapest, 23.Xi.2001)
66. 66
Laws, Directives, and Regulations
• Gramm-Leach-Bliley Act of 1999
• Requires financial institutions to develop privacy notices and give
their customers the option to prohibit financial institutions from
sharing their information with nonaffiliated third parties
• Requires:
• The board of directors to be responsible for security issues
within financial institutions
• Risk management
• Training to all employees on information security issues
• Test security measures implemented
• Written security policy
67. 67
Laws, Directives, and Regulations
• Computer Fraud and Abuse Act
• The primary U.S. federal antihacking statute.
• Prohibits seven forms of activity and makes them federal crimes
• Federal Privacy Act of 1974
• Applies to records and documents developed and maintained
by specific branches of the federal government.
• An actual record is information about an individual’s
education, medical history, financial history, criminal history,
employment, and other similar types of information.
• An agency cannot disclose the information without written
permission from the individual
68. 68
Laws, Directives, and Regulations
• Computer Security Act of 1987:
• Requires U.S. federal agencies to identify computer systems
that will contain sensitive information
• Develop security policy and plan for each of these systems
• Conduct periodic training for individuals who operate,
manage, or use these systems
• Security awareness training and define acceptable computer
use and practices
• Economic Espionage Act of 1996
• Provides the necessary structure when dealing with
industry and corporate espionage and further defines
trade secrets to be technical, business, engineering,
scientific, or financial
69. Law
Offense Section Sentence
Obtaining National Security Information (a)(1) 10 (20) years
Accessing a Computer and Obtaining Information (a)(2) 1 or 5 (10)
Trespassing in a Government Computer (a)(3) 1 (10)
Accessing a Computer to Defraud & Obtain Value (a)(4) 5(10)
Intentionally Damaging by Knowing Transmission (a(5))(A) 1 or 10 (20)
Recklessly Damaging by Intentional Access (a(5))(B) 1 or 5 (20)
Negligently Causing Damage & Loss by Intentional
Access
(a(5))(C) 1 (10)
Trafficking in Passwords (a)(6) 1 (10)
Extortion Involving Computers (7) 5 (10
The maximum prison sentences for second convictions are noted in parentheses he maximum prison sentences for
second convictions are noted in parentheses
71. • Difficulties in Prosecution
– Lack of Understanding
• Judges, Lawyers, Police, Jurors
– Evidence
• Lack of Tangible Evidence
– Forms of Assets
• Magnetic Particles, Computer Time
– Juveniles
• Many Perpetrators are Juveniles
• Adults Don’t Take Juvenile Crime Seriously
71
Computer Crime Challenge
72. 72
Investigations
• Incident Response
• Have policy and procedures in place for incident
response
• Incident response team
• Follow predetermined steps
• Decide whether to conduct own forensics
73. 73
Investigations
• Incident Handling
• Procedures for how to handle all incidents
• Related to disaster recovery planning
• Contain and repair any damage caused by an
event or prevent any further damage
• Linked to security training and awareness program
• Become part of mailing list of the Computer
Emergency Response Team (CERT)
74. 74
Investigations
• Forensics
• A science and an art that requires specialized techniques for
the recovery, authentication, and analysis of electronic data
for the purposes of a criminal act.
• Computer Forensics
• Must be properly skilled
• Work from a copy
• Specialized tools
• Chain of custody
• Photograph crime scene
76. Incident Investigators
• Network Analysis
– Communication analysis
– Log analysis
– Path tracing
• Media Analysis
– Disk imaging
– MAC time analysis (modify,
access, create)
– Content analysis
– Slack space analysis
– Steganography
• Software analysis
– Reverse engineering
– Malicious code review
– Exploit review
76
77. Penetration Testing
• Process of simulating attacks on a network and its systems at
the request of the owner, senior management.
• Uses a set of procedures and tools designed to test and
possibly bypass the security controls of a system.
• Its goal is to measure an organization’s level of resistance to
an attack and to uncover any weaknesses within the
environment.
• Penetration tests can evaluate web servers, DNS servers,
router configurations, workstation vulnerabilities, access to
sensitive information, remote dial-in access, open ports, and
available services’ properties that a real attacker might use to
compromise the company’s overall security.
77
78. Penetration Testing
• When performing a penetration test, the team goes through a
five-step process:
– 1. Discovery - Foot printing and gathering information about the target
– 2. Enumeration - Performing port scans and resource identification
methods
– 3. Vulnerability mapping - Identifying vulnerabilities in identified
systems and resources
– 4. Exploitation - Attempting to gain unauthorized access by exploiting
vulnerabilities
– 5. Report to management - Delivering to management documentation
of test findings along with suggested countermeasures
78
79. Penetration Testing
• The penetration testing team can have varying degrees of
knowledge about the penetration target before the tests are
actually carried out:
– Zero knowledge - The team does not have any knowledge of the
target and must start from ground zero.
– Partial knowledge - The team has some information about the target.
– Full knowledge - The team has intimate knowledge of the target.
– A blind test is one in which the assessors only have publicly available
data to work with. The network staff is aware that this type of test will
take place.
– A double-blind test (stealth assessment) is also a blind test to the
assessor as mentioned previously, plus the security staff is not
notified.
79
80. FASS Group
Enrique J. Gonzalez, MIS
CFE, CISSP
Forensic, Auditing, Security Services
info@fassgroup.net
81. Jose A. Arroyo, MS
MCSA, MCT, CEH
787-340-3781
jarroyo@obsidisconsortia.org
josearroyo@talktoait.com
82. Jose L. Quiñones, BS
MCSA, MCT, CEH, CIE, GCIH, GPEN, RHCSA
787-238-5568
josequinones@codefidelio.org
jquinones@obsidisconsortia.org
Editor's Notes
The most important asset for an organization is its data.