Outpost24 webinar - Enhance user security to stop the cyber-attack cycle
Download as PPTX, PDF0 likes113 views
The document discusses cybersecurity strategies to enhance user security and prevent cyber-attacks. It emphasizes the importance of identifying threats, protecting systems, and implementing measures like multi-factor authentication and password management. The document also highlights the prevalence of credential-related breaches and provides practical tips for securing user access.
Outpost24 webinar - Enhance user security to stop the cyber-attack cycle
- 1. Outpost24 Template 2019 Enhance User Security to Stop the Cyber-Attack Cycle Bob Egner Darren James Outpost24 Specops Software Classification: Open November 23, 2021
- 2. The speakers 2 Bob Egner Outpost24 Head of Products Darren James Specops Software Product Specialist and Technical Lead
- 3. • Identify and manage cyber-security exposure • Full stack security assessment • Pen testing and Red teaming 3 • Manage digital risk as quickly as the threat landscape changes • Automated and targeted cyber- Threat Intelligence • Protect your business data by blocking weak passwords • Authentication & Password Management • Desktop Management solutions Outpost24 Group
- 4. Today’s topic Business disruption Know the hacker Practical strategies for securing users Takeaways 4
- 5. Disruption Verizon’s brand for digital natives No stores, app for all customer care Hacked accounts compromised by credential stuffing Theft of phones, disruption to users, impact to reputation BillyPenn.com – INSTAGRAM / @KC_TINARI / #BILLYPENNGRAM, November 10, 2018 5
- 7. The security leader’s imperative 7 Identify Protect Detect Respond Recover Cybersecurity Framework
- 8. The security leader’s imperative 8 Identify Protect Detect Respond Recover Endpoints Network Cloud Application Data Users Cybersecurity Framework
- 9. The security leader’s imperative 9 Identify Protect Detect Respond Recover Endpoints Network Cloud Application Data Users What’s real? What’s dangerous? What’s important? Cybersecurity Framework
- 10. Outpost24 Template 2019 Know the hacker
- 11. Types of hackers Cyber-criminals - profit Nation-State - geopolitical Thrill seeker - lulz Hacktivist - ideological Insider - discontent 11 11
- 12. Cyber Kill Chain 12 Lockheed Martin https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
- 13. Ransomware Kill Chain – attacker’s view 13 Lockheed Martin https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html Outsourced Outsourced Outsourced Outsourced Outsourced Outsourced
- 14. • 61% of breaches involve credentials for initial access • Over 15 billion compromised credentials in hacker forums • Increasing use of password spray attacks targeting privileged cloud accounts 14 Delivery - initial access Verizon Data Breach Investigation Report (DBIR), 2021
- 15. pass·word en·tro·py ˈpas-ˌwərd ˈen-trə-pē • Is the measure of password strength or how strong the given password is. It is a measure of effectiveness of a password against guessing or brute- force attacks. 15 • Hard to brute-force passwords longer than 8 characters • Easier if you sniff network traffic for hashes and compare to “easy to guess” hashed passwords • Or – just buy compromised credentials Password entropy https://www.geeksforgeeks.org/password-entropy-in-cryptography/
- 16. Shrink the attack surface • No such thing as “perfect security” • Objective is to slow the attacker down • Evaluate exposed services • Patch regularly • Manage access 16
- 17. Outpost24 Template 2019 Practical strategies for securing users
- 18. “Over 80% of breaches involve brute force or lost and stolen credentials” Verizon’s Data Breach Investigations Report “Over 70% of employees reuse passwords at work ” 18
- 19. Attacks against passwords are a way to breach a network AND a data source that can be sold for future attacks Cyber attacks involving passwords: • Brute force • Key logging • Phishing • Social engineering • Ransomware • Supply chain • Dictionary • Password spraying • Credential stuffing Cyber threats and user access 19
- 20. • Colonial Pipeline was breached on April 29, 2021 • Hackers gained access through a VPN account that was no longer in use, but still active • The VPN password was found in a list of leaked passwords on the dark web • There was no MFA in place on the VPN Critical infrastructure breach 20
- 21. Securing user access • Implement MFA where possible • Security awareness training and enforcement • Secure user passwords • Block breached passwords • Tell users why their chosen passwords fail • Implement passphrases • Use a password manager Best practices 21
- 22. • Audit your Active Directory passwords via a simple scan with Password Auditor • Identifies accounts using leaked passwords • Accounts with blank passwords • Accounts sharing the same passwords • Accounts not requiring passwords • …and many more • Results available in interactive dashboard • Export to CSV and detailed PDF • More secure and easy to implement • World class support • Updated regularly Getting Started: Free Audit 22
- 25. Takeaways Risk - Focus on potential disruption to your business Hygiene - Constantly work to reduce attack surface Users - The most common vector for initial access Try it – download the Password Auditor 25
Editor's Notes
- #6: Verizon’s new low-cost brand “Visible” for digital natives No stores, online only – No customer care phone service, only text and chat Victim of credential stuffing attack (credentials purchased through an Initial Access Broker (criminal) Take over user accounts - order phones, disrupt users Besides customer disruption, stolen phones, it’s a reputation issue for parent Verizon who has built a brand around cyber security expertise Annual Verizon DBIR (Data Breach Investigation Report) Because it was credential stuffing, Verizon denies it was a breach
- #7: Explosion of ransomware from CryptoLocker in 2013 to REvil in 2020 and Dopplepayment in 2020 Constantly in the news Common elements – first access, then spread, and demand a double extortion > expose data, hold data for ransom Factoids about average cost / payment (Verizon DBIR)
- #8: Organizations that have a cyber security staff may be familiar with this framework of activities But many are looking for an easier way (buy your way out) with security technology Or even outsource to a managed security provider But the starting point is good security practices that can be implemented by IT teams of any size
- #9: The focus is often split by the type of technology asset you need to evaluate For the user area, we often think of access control – do we have something in place to limit access But the human dimension is harder to evaluate
- #10: What do you own, where is it weak, what are you going to do about it? The objective is to “shrink the attack surface” to make it harder for the attacker to get in There is no such thing as perfect security To save time / cost, you have to focus on what’s important to the business and things you can fix
- #12: Types of threat actors Nation-state: motivated by geopolitical outcomes Cyber criminals : profit motive Hacktivist: ideological Terrorists: ideological violence For the lulz (thrill seeker): satisfaction Insider: discontent
- #13: Getting in (delivery, exploitation) and exfiltration (mission goal) are not the hard (or time consuming parts Assume you will be attacked, and they will be successful – what next? Focus on dwell time Industry stats show 3-7 months, we have worked with clients experiencing multiple years Some of you may owner fewer security tools than the hacker has in their arsenal TTPs – Tactics Techniques and Procedures Ex. token stealing and pass-the-hash, or Windows Management Interface (WMI) and Mimikatz NotPetya used some code / concepts from Mimikatz to accelerate spread (delivery)
- #14: Initial access attacks – according to Verizon (DBIR 2021 fig 20) Phising – gain access by tricking user Stolen credentials – using known credentials to “walk right in” The former is address by security awareness training (partner AwareGO) The latter by monitoring for compromised passwords Exploitation is moving files (for extortion) to a temporary location and encrypting those on the endpoint https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2017/ransomware-analysis-executions-flow-and-kill-chain https://www.alertlogic.com/assets/checklists/Ransomware_KillChainShort.pdf
- #15: A few months ago, I saw a figure of 15 billion compromised credentials and passwords were for sale on hacker forums (5 billion of which were unique) Initial access broker (criminal) Couple that with the average user with over 100 services, each requiring a user name and password (I have 134 in my password manager) Reuse at work and home is likely – this is the beginning of the password management challenge Average cost $15-$20 per credential (bank/financial average more) Direct access to organizations through administrator credentials are even more, averaging over $3000 Last month Microsoft DART (Detection and Response Team) issued guidance about an increasing number of password spray attacks targeting privileged cloud accounts
- #16: Password complexity – use passwords of more than 8 characters (12 is good) or passphrases where you can reach 32 characters Common practice to use “easy” passwords on the internal network because users think they are well-protected in their castle – low entropy Superior cracking method can make hundreds of thousands to millions of hash calculations per second on ordinary PC equipment