Cyber Security Threatsand What you can do
Agenda• Threat History• Current Threats• Breakdown of a Common Attack• What you can do– Incident Response– Resources Avail...
CTS Security Operations CenterProvides centralized information sharing, monitoring, andanalysis of Washington State securi...
Cyber Security in the News
1999 Threat - Melissa• Sent copies of aninfected WordDocument to up to50 people• No damage tocomputers or files• Overwhelm...
2003 Threat – Slammer• SQL Server Stackbuffer overflowvulnerability• Code execution atSystem user levelhttp://www.cert.org...
2008 Threat – Conficker• Windows serverservice vulnerability• Multiple variants• Quickly took overmillions of computers• D...
Today’s ThreatsPersistent•44% increase in breach incidents 2010-11 across multiple verticals(Source: Poneman Institute, 20...
What I see at WA StateReportingPeriod:1Q 2013
What I deal withReporting Period: 3/1/13 – 3/15/13• Web Site Defacement by Turkish Muslim Group• Attempted breach of VPN a...
AdvancedPersistentThreatsSophisticated attacksand well resourcedadversariesNation StateActorsCyber CriminalsOpen SourceInt...
Phishing emailsA member of your staffreceives a phishing emailwhich may be personalized toattract their interest.Common At...
Drive-by downloadThe employee clicks on thelink and gets infected byTrojan from drive-bydownload.
Adversary uses machineto gain access to internalnetwork systemsTrojan installs backdoor which allowsreverse connection to ...
Data ex-filtrationAttacker encrypts sensitive files found onthe critical server and transfers out data
Phishing emailsAttack AnatomyDiscovery of Company email AddressesJigsawCome up with a ScenarioOWA UpgradeSecurity Ale...
Drive-by downloadPacking utilities / Metasploit /BacktrackAlternately, purchase a SDKand sign the executable so thatit i...
Adversary uses machineto gain access to internalnetwork systems RDPPasswords enumerated and crackedMapping of other netw...
Data ex-filtrationData is compressedData is encrypted and sentover a common port such as80 or 443Transmission is rate-l...
Recommendations1. Build a strong security foundation2. Have an Incident Response Plan ready3. Know who to call
Build a Security Foundation• SANS Top 20 Controls• Australia DOD Mitigations• NIST Guidelines
Develop Incident Response Mechanisms• Have a plan– NIST 800-61.2• Know the priority of yourassets• Exercise your plan– 15 ...
Establish Partnerships• MS-ISAC– Forensic Analysis– Log Analysis– Malware reverse engineering and disassembly– Vulnerabili...
Questions
of 24

Port of seattle security presentation david morris

Published on: Mar 4, 2016
Published in: Technology      
Source: www.slideshare.net


Transcripts - Port of seattle security presentation david morris

  • 1. Cyber Security Threatsand What you can do
  • 2. Agenda• Threat History• Current Threats• Breakdown of a Common Attack• What you can do– Incident Response– Resources Available
  • 3. CTS Security Operations CenterProvides centralized information sharing, monitoring, andanalysis of Washington State security posture while mitigatingrisk and minimizing incident exposure.•Alerting•Risk Analysis•Incident Response•Vulnerability Management•Education and AwarenessAwareness Test:http://www.youtube.com/watch?v=oSQJP40PcGI
  • 4. Cyber Security in the News
  • 5. 1999 Threat - Melissa• Sent copies of aninfected WordDocument to up to50 people• No damage tocomputers or files• Overwhelmed MailServershttp://www.cert.org/advisories/CA-1999-04.htm
  • 6. 2003 Threat – Slammer• SQL Server Stackbuffer overflowvulnerability• Code execution atSystem user levelhttp://www.cert.org/advisories/CA-2003-04.htm
  • 7. 2008 Threat – Conficker• Windows serverservice vulnerability• Multiple variants• Quickly took overmillions of computers• Disabled windowsservices• Locked out users
  • 8. Today’s ThreatsPersistent•44% increase in breach incidents 2010-11 across multiple verticals(Source: Poneman Institute, 2011)Sophisticated•Use of advanced techniques and tactics points to growing nation-statesponsorship and resourcingTargeted•Shift to targeting of commercial sectors and government supply-chainproviders•Larger attack plane•Consumerization of IT with pervasive use of social media, mobile devices ,big data and cloud infrastructures
  • 9. What I see at WA StateReportingPeriod:1Q 2013
  • 10. What I deal withReporting Period: 3/1/13 – 3/15/13• Web Site Defacement by Turkish Muslim Group• Attempted breach of VPN account• Multiple workstations attempting to communicate to Zeuscommand and control servers• Web server participating in DDoS attack against foreign national• Multiple workstations attempting to communicate to Zero Accesscommand and control servers• Web site content management server software exploited• Anomalous traffic at agency firewall indicating insider threat• Open mail relay detected• Multiple SQL injection attempts of web application• Penetration test erroneously configured causing alerts
  • 11. AdvancedPersistentThreatsSophisticated attacksand well resourcedadversariesNation StateActorsCyber CriminalsOpen SourceIntelligenceCollectionForeignNationalsBlack MarketsNon-Nation StateSub ContractorsSupply ChainTamperingThird CountriesThe Age of the APT
  • 12. Phishing emailsA member of your staffreceives a phishing emailwhich may be personalized toattract their interest.Common Attack
  • 13. Drive-by downloadThe employee clicks on thelink and gets infected byTrojan from drive-bydownload.
  • 14. Adversary uses machineto gain access to internalnetwork systemsTrojan installs backdoor which allowsreverse connection to infected machineHacker dumps password hash and gainsaccess to a critical server via RDP.RDP
  • 15. Data ex-filtrationAttacker encrypts sensitive files found onthe critical server and transfers out data
  • 16. Phishing emailsAttack AnatomyDiscovery of Company email AddressesJigsawCome up with a ScenarioOWA UpgradeSecurity AlertBuild Phishing MessageSave .html file locallyUse a kit such as SETSet up a real temporary domainMonitor effectiveness with scriptsDiscovery of Company email AddressesJigsawCome up with a ScenarioOWA UpgradeSecurity AlertBuild Phishing MessageSave .html file locallyUse a kit such as SETSet up a real temporary domainMonitor effectiveness with scripts
  • 17. Drive-by downloadPacking utilities / Metasploit /BacktrackAlternately, purchase a SDKand sign the executable so thatit is trustedTest the executable or payload withfree Antivirus packagesMicrosoft Security EssentialsAVGAwait acknowledgement responsefrom machinePacking utilities / Metasploit /BacktrackAlternately, purchase a SDKand sign the executable so thatit is trustedTest the executable or payload withfree Antivirus packagesMicrosoft Security EssentialsAVGAwait acknowledgement responsefrom machine
  • 18. Adversary uses machineto gain access to internalnetwork systems RDPPasswords enumerated and crackedMapping of other network devicesActive directory queriesAccess attempts with credentialsPasswords enumerated and crackedMapping of other network devicesActive directory queriesAccess attempts with credentials
  • 19. Data ex-filtrationData is compressedData is encrypted and sentover a common port such as80 or 443Transmission is rate-limitedto avoid detectionData is used for criminalpurposes or to damagereputationData is compressedData is encrypted and sentover a common port such as80 or 443Transmission is rate-limitedto avoid detectionData is used for criminalpurposes or to damagereputation
  • 20. Recommendations1. Build a strong security foundation2. Have an Incident Response Plan ready3. Know who to call
  • 21. Build a Security Foundation• SANS Top 20 Controls• Australia DOD Mitigations• NIST Guidelines
  • 22. Develop Incident Response Mechanisms• Have a plan– NIST 800-61.2• Know the priority of yourassets• Exercise your plan– 15 minute tabletops– Functional exercise every 6months• Recognize that you will notbe able to contain theincident yourself in manycases
  • 23. Establish Partnerships• MS-ISAC– Forensic Analysis– Log Analysis– Malware reverse engineering and disassembly– Vulnerability Scanning (Application and Host)• FBI Cyber Task Force (CTF)– Incident Response– Threat assessment– Information Sharing• EMD– Significant Cyber Event Response
  • 24. Questions

Related Documents