1. © 2013 Armstrong Teasdale LLP Under the Black Hat Daniel Nelson, C|EH, CIPP/US August 27, 2014

2. © 2013 Armstrong Teasdale LLP How Bad is the Hacking Threat?  “Hackers” write sophisticated computer code to invade computer networks  Hackers do this to target personal information which is then used for identity theft  “Hacking” is the digital equivalent of robbing a bank: hackers break into a system, rob it, and make their get- away  Hacking leaves digital fingerprints that can be traced back to catch the thief

3. © 2013 Armstrong Teasdale LLP What’s the Real Story?

4. © 2013 Armstrong Teasdale LLP Who’s The Hacker?

5. © 2013 Armstrong Teasdale LLP Who’s The Hacker Adrian Lamo Kevin Poulsen Mercedes Haefer John “Captain Crunch” Draper Robert Morris Berkley Blue & Oaf Tobark

6. © 2013 Armstrong Teasdale LLP They Hack for Profit Sometimes, but:  Revenge  Information  “A Cause”  Street Cred  Boredom  “Because It’s There”

7. © 2013 Armstrong Teasdale LLP They Are After Our Personal Information  Says who? --Brian Krebs, KrebsonSecurity.com

8. © 2013 Armstrong Teasdale LLP Hackers Are Computer “Black Belts”

9. © 2013 Armstrong Teasdale LLP Everything A Hacker Needs Over 100 Hacking Tools Pre- installed

10. © 2013 Armstrong Teasdale LLP Tools such as:  John the Ripper (Password Cracking)  Angry IP Scanner (Scanning)  THC Hydra (Password Cracking)  Cain & Abel (Anything you can imagine on a Windows System)  Burp-Suite (Web Apps)  Social Engineering Toolkit (“SET”)  Wire Shark (packet sniffer) One of the biggest challenges is to choose from among a plethora of tools

11. © 2013 Armstrong Teasdale LLP Nessu s How Bad for You/Good for Me Vulnerability Name: So I Can Find It Easily

12. © 2013 Armstrong Teasdale LLP Trespassing At Will?....Priceless Kali Linux…………………… The Included Tools………… Nessus………………… ……. FREE FREE FREE

13. © 2013 Armstrong Teasdale LLP But the Two Most Powerful Hacking Tools?

14. © 2013 Armstrong Teasdale LLP Google  Pre-hack Reconnaissance on Target: System configurations Usernames Passwords Email Addresses Reporting Relationships  The Answer to Any “How Do I” Question You Could Ever Ask

15. © 2013 Armstrong Teasdale LLP YouTube FUD: Fully Undetectable Remote Administration Terminal (a Trojan)

16. © 2013 Armstrong Teasdale LLP True Hackers…  Love to Share Know-how Exploits Data Updates

17. © 2013 Armstrong Teasdale LLP Hacking Is Easily Detected

18. © 2013 Armstrong Teasdale LLP Hacking Leaves Digital Tracks

19. © 2013 Armstrong Teasdale LLP Quick Overview of Hacking  Basic (but still dangerous) hacking requires access to YouTube and a willingness to learn  Hackers have many different targets  Good Hackers may lurk in a system for months  Hacking is extremely difficult to detect

20. © 2013 Armstrong Teasdale LLP What Can Be Done  Combat Social Engineering Understand the Threat Train  Engage With Security Understand what “IT” really means Take Charge  Understand Current Legal Requirements  Avoid The Compliance Trap  Be Your Own CISO

21. © 2013 Armstrong Teasdale LLP Social Engineering  “Hacking the Wetware”  The most direct, efficient and effective form of attack  One simple goal: generate an emotional response  Takes Many Forms: Phishing/Spearphising Physical Intrusion Remote  Odds are strongly in Hacker’s favor

22. © 2013 Armstrong Teasdale LLP Phishing/Spearphishing  Phishing: Impersonal “blast” email  Spearphishing: Uses personal information about “sender” or recipient to encourage recipient to trust the email Vacation plans Recent promotions Company events Hobbies  This information is all too easy to find:

23. © 2013 Armstrong Teasdale LLP Spearphishing Takes Many Forms

24. © 2013 Armstrong Teasdale LLP There’s An App For That

25. © 2013 Armstrong Teasdale LLP Phishing With SET

26. © 2013 Armstrong Teasdale LLP Physical Intrusion First Rule of Hacking: If you can touch it, you will own it.

27. © 2013 Armstrong Teasdale LLP Social Engineering Countermeasures  Build Awareness Every Employee is Part of Your Security Plan  Train Recognize the Common Attack Vectors Appreciate the Dangers

28. © 2013 Armstrong Teasdale LLP Engage With Security  Understanding “IT” The field is highly specialized −Network −Desktop −Database −Programming −Website  Security is 10% IT, and 90% Everybody Else Physical Security Mobile Device Security Anti-Phishing

29. © 2013 Armstrong Teasdale LLP The Biggest Mistake  Ignoring Counsel’s Essential Role in Data Security  What You Give Up: Privilege Participation in decisions when it matters most Independent analysis

30. © 2013 Armstrong Teasdale LLP Protecting Privilege  Attorney-client privilege can be invoked between the victim company’s outside legal counsel and hired third-party forensic firms that perform a review of the system during a breach. Invoked privilege allows the forensic company to report breach results directly to the law firm. http://www.secretservice.gov/ECTF_best_practic es.pdf

31. © 2013 Armstrong Teasdale LLP Being There When It Matters Most  Data Security incidents often have legal consequences Regulators Insurance coverage issues Lawsuits  IT won’t be representing the company!  You can be there when decisions are made, or you can be there when the die has been cast.

32. © 2013 Armstrong Teasdale LLP Independent Eyes  Why do we have outside auditors?  Same principal holds true for data forensics: often outside eyes see more clearly Independent evaluation of what went right, and what went wrong May well be more qualified for forensic work Better expert witnesses Detect the “inside job”

33. © 2013 Armstrong Teasdale LLP The Second Biggest Mistake  Failure to have a plan  Data Incidents take many forms, and involve complicated questions that demand real-time answers  Regulators (and underwriters) increasingly looking to whether you had a plan

34. © 2013 Armstrong Teasdale LLP What’s the Next Step?  Front Desk Security calls: There are two FBI Agents in the Lobby asking to speak to the head of Information Security. Do you meet with them? Do you allow them access to your network? What is your company’s policy with respect to cooperation with law enforcement?

35. © 2013 Armstrong Teasdale LLP What’s the Next Step (Part II)  Your CEO receives an email containing the private financial information of ten of your customers. The sender informs you that they have all 10,000 such records, and intend to release them unless your company pays a ransom within 12 hours. What is your company’s policy for this? Do you involve law enforcement? What is your media strategy? Does your cyber policy cover this? How do you evaluate whether the threat is real?

36. © 2013 Armstrong Teasdale LLP Understand the Legal Requirements  Fast Changing Landscape  The “Law” Simply Can’t Keep Up  FTC “Common Law” on Security  HIPAA  State Data Security Laws  Long on Recommendations, but Short on Specifics

37. © 2013 Armstrong Teasdale LLP Recent FTC Enforcement Actions  Cbr Systems, Inc. Cbr’s privacy policy promised to handle personal information securely and in accordance with its Privacy Policy and Terms of Service After unencrypted data contained on storage media and a laptop were stolen from a Cbr employee’s car, the FTC charged Cbr with deceptive trade practices because Cbr failed to meet its promised security promises. In particular, the FTC focused on Cbr’s failure to employ secure data transport practices, failure to encrypt data, and retention of data for which Cbr no longer had a business need 37

38. © 2013 Armstrong Teasdale LLP Enforcement Actions  TRENDnet SecurView cameras for home monitoring Software issue allowed anyone with camera's web address to view the live feed  FTC charged: Failure to utilize reasonable measures to test security; Unencrypted transmission of user credentials, and unencrypted mobile storage of login information.

39. © 2013 Armstrong Teasdale LLP Massachusetts Data Security Laws  Requires “ Comprehensive” data security program that includes: Designated responsible employee(s) Identification & assessment of risks Employee security policies Oversight of service providers (including requiring such providers, by contract, to maintain appropriate security measures) Encryption of data that will “travel across public networks” or that will be “transmitted wirelessly” 39

40. © 2013 Armstrong Teasdale LLP Encryption  Growing body of regulations and enforcement actions requiring some form of encryption  Encryption may come in many forms: Encryption in transmission (e.g. PCI Rules, TSL/SSL, PGP Email) File level Encryption Full disk Encryption

41. © 2013 Armstrong Teasdale LLP The Compliance Trap  Compliance can be Security’s Worst Enemy  “Check the Box” is not the same as “Secure”  Compliance: Do you have a home alarm?  Security: Do you actually turn it on?

42. © 2013 Armstrong Teasdale LLP Be Your Own CISO  Update & Patch Very little “Zero Day” Malware Significant Amount of Malware is Reverse Engineered from the Patch  Password Security Wrc$5oo93=T Longer is Better PollyWants1Cracker  Secure Physical Access  Change Default Passwords Computers/Wireless Access Points Home Alarms

43. © 2013 Armstrong Teasdale LLP Questions? Dan Nelson, C|EH, CIPP/US, Partner 314.552.6650 dnelson@armstrongteasdale.com http://twitter.com/DanNelsonEsq www.linkedin.com/in/danielcnelson 43