Presented by:

Danny Timmins, National Cyber Security Leader

2017

Protect Your Properties from Cyber Attacks!

Cyber Security MNP Technology Solutions

MNP Cyber Security Presentation

Page 2

• Cyber Security Overview

• Cyber Crime Tactics and Techniques

o Hacking (Penetration Testing)

o Social Engineering (Malware/Crimeware)

o Red Teaming

• Considerations

Page 3

Lessons from the field

• Canada’s 5th Largest

Accounting | Tax |

Consulting

• 4500 Team Members

• 80 Offices coast to

coast

• 55 Cyber Security

Professionals Nationally

Page 4

MNP is more than an Accounting Firm

• Digital Strategy

• Portal Development

• Business Continuity

• Workplace Collaboration

• CRM/ERP

• Cloud Strategy

• Operational Technology

• IoT

• Cyber Security & Risk

• Data Analytics

• DevOps

• Auditing

Page 5

Predictions

➢99% of vulnerabilities exploited will continue to be the ones

known by security/IT professionals.

➢The single most impactful enterprise activity to improve

security will be patching.

➢The second most impactful enterprise activity to improve

security will be removing web server vulnerabilities.

Page 6

Predictions

➢Internet of Things will grow to an installed base of 20.4 billion.

➢A third of successful attacks experienced will be on their

shadow IT resources.

➢Companies are using more than 15 times more cloud services

to store critical company data than CIOs were aware of.

➢Nearly eight in ten (77%) of decision makers admit to using a

third-party cloud application without approval.

Page 7

Damages have started to increase in Canada - Casino Rama

is an example of damages increasing ….30+ Million

Canada’s new privacy laws will require breach notice and

affect private sector operations in Canada. (Digital Privacy

Act)…do you know your data

Cyber Insurance…how much do you need …is it focused on

the correct areas

What’s happening in the

industry?

Page 8

Mandatory cyber audits coming for publicly traded companies

in Canada…. US is pushing hard – its coming

Payment Card Industry (PCI) already has compliancy. IE: Best

Western Motels - have been targeted-very limited security

Equifax 140M plus - 100+ thousand in Canada….patch

management said to be the issue…mishandled from the start

of the breach…directing clients to a phishing site

What’s happening in the

industry?

Page 9

Who are Behind Cyber Attacks?

**89% of breaches had financial or espionage motive

• Nation States

• Organized Hackers

• Non-Organized Hacker

• Employee: Technical

• Employee: Business

• Malicious Former Employee

Page 10

10

Cyber Security Building AssessmentAssess:- Perform a cyber security health check which includes building network

systems

- Do an inventory of assets

Detect:- Try to comprise facility physically

- Perform Phishing testing (email, wireless)

- Assess which devices are accessible (externally/internally) and have vulnerabilities

- Perform automated security scanning

- Perform penetration testing

Remediate:- Document results to fix all found vulnerabilities

- Retest the systems to make sure that the systems have been patched

- Work with you and your vendors

Page 11

11

What if a data breach happened? What are the Risks.

- Impact building management systems

- Unauthorized physical access to tenant areas

- Brand and reputation

- Non-compliance with privacy regulations

- Unable to fulfill service commitments

- Loss of tenants

Page 12

Other Risks to Consider

• Supply Chain/Vendor Management

• Privacy - Personal Identification Information (PII)

• Regulator Compliance

• Intellectual Property (IP)

• New Automation deployments - IoT (Internet of Things)

• Payment Systems (Ecommerce or Point of Sale)

• Strategic plans, engineering drawings, RFP’s, Proposals, etc.

• Life Safety Systems – elevators, exhaust

Page 13

13

Let’s take a closer look!

Page 14

1

4

What is Hacking?

- The EXPLOIT of a technical vulnerability

- Human error (still a vulnerability)

- Can involve chaining together a series of weaknesses

- Performed without owner permission

Page 15

1

5

What is Penetration Testing?

- Similar to hacking except owner gives permission

- Attempt to gain access to sensitive information or

resources

- Steps can include:

- Information gathering

- Vulnerability enumeration

- Vulnerability exploitation / Privilege Escalation

- Exploration / Lateral Movements

- Performed against defined scope

- Measures Network(s) and Application(s) resiliency

- Overall goal to improve security posture

Page 16

1

6

Almost ALWAYS Starts with a Vulnerability

Page 17

1

7

Page 18

1

8

Example 1: Penetration Test

Page 19

19

Target: Management Controller

Page 20

20

Page 21

21

Page 22

22

Dump Password Hashes:

Page 23

2

3

What Can You Do with Hash?

Page 24

2

4

“Hashinator”

26 lower case letters (a-z)

26 upper case letters (A-Z)

10 digits (0-9)

8 Characters

26+26+10 = 62

62 ^ 8 =

218,340,105,584,896

…or < 2 days

Page 25

25

Page 26

26

U/P Leads to Full VM Infrastructure

Page 27

2

7

Once Access is Gained… Then We “Pivot”

Page 28

2

8

Access to HVAC System…

Page 29

2

9

Example 2: Programming Error

Page 30

3

0

What is Social Engineering?

- An act that influences a person to take an action

- Used by attackers as it consistently works

- There is no patch for untrained users

- Performed against defined scope

- Three types of Social Engineering:

- Phishing

- Vishing

- Impersonation

- Measures how well People identify SE attacks

Page 31

Example Phishing

Page 32

Page 33

Page 34

Page 35

Hello, my name is XXXXX. Resume

attached. I look forward to seeing you.

Sincerely yours, XXXXX

Page 36

36

Social Engineering Attackers

Deploy Fake Social Media Profiles

Page 37

37

Tip #3 – Google Images

- Use Google Images to verify and validate pictures

Page 38

38

Page 39

What is Red Teaming?

• Contains aspects of Penetration Testing and Social Engineering

• Performed with the permission of the owner

• Typically full-scope, multi-layered attack simulation

– Penetration Testing

– Social Engineering

– Physical Security Controls

• Designed to measure resiliency of People, Network(s), and

Application(s) during a real-life attack

• Attacks are performed simultaneously

• Overall goal to identify gaps and improve Incident Response

Page 40

Public Infrastructure – SCADA

• Engagement Objectives:

– Non-Technical Objectives (Flags)

• Gain access to the SCADA facility

– Technical Objectives (Flags)

• Perform Penetration Test against internal assets

• Attempt to gain access to PLC controllers

• Rules of Engagement:

– Assets will not be removed from physical location

Page 41

Public Infrastructure – SCADA

• Engagement Findings:

– Successfully gained access to facility via piggybacking in behind employee

– Performed penetration test against internal assets and able to recover password

hashes

– Able to bypass thin-client to gain access to corporate network from SCADA facility

– Access to the PLC network was gained due to lack of network segmentation

– Determined DoS possible on PLC network by sending one malformed packet

– No indicators of compromise were detected by client

Page 42

Red Team - Key Findings

• Social Engineering attacks like phishing and impersonation

consistently work

– Lack of Security Awareness training for employees aid attackers

• Once inside an organization, detection does not occur

– Security controls like IDS/IPS can log events however no one responds

to alerts

• Lack of patch management and build/hardening standards

– allows for compromise of sensitive information/data

• Organizations are not equipped to deal with real-life

adversary attacks

Page 43

Considerations

Page 44

Considerations

▪ Doing a company wide Cyber Security Health Check. Do you and your executives understand what risks you are protecting and where to prioritize budget & resources.

▪ Develop and implement the appropriate cyber security infrastructure to protect your organization. When was the last time you and your team reviewed your infrastructure.

▪ Understand potential exposure by engaging “ethical hackers” cyber security consultants to hack your organization. Networks, Applications, Mobile.

Page 45

Considerations

▪ Incident Response a) have you developed a plan, done a tabletop

exercise, b) Do you know who to call if a breach happens.

▪ Supply Chain/Vendor/Third Parties Management Strategy –

beginning with the IT focused contracts.

▪ Backup & Recovery – have they been tested to recover and do

you have backup’s offline & offsite.

▪ How are you controlling Shadow IT. Do people install applications

with out permission.

Page 46

Considerations

▪ Cyber Security Educational Training – Training can’t just be a

poster on a wall. (video’s, testing, personalize, etc.)

▪ Does the organization store, process or transmit credit card

data? MUST be PCI Compliant.

• Has your organization consider outsourcing your Cyber

Security with dedicated Cyber Security Admin’s & Advisors.

Page 47

Considerations

▪ Consider purchasing cyber security insurance. Make sure it

is focused on the key risk loss areas of the business.

▪ Is your business putting in place Cyber Security practices,

procedures and metrics. Does your risk register include

Cyber Security and is it focused on the right risks. Does the

board actually understand and agree with the risks being

covered – where they part of the decision.

Page 48

Cyber Security Services

Offensive Security (Red Team)• Penetration Testing

• Blended Threat Attack Exercises

• Social Engineering

• Vulnerability Assessments

Payment Card Industry (PCI) Compliance• Scope Discovery

• Gap Analysis and Readiness Review

• On Demand Consulting and Remediation

• PCI Report on Compliance Validation (ROC)

• PCI SAQ Review and Sign Off

• External ASV Scanning

• Annual Maintenance (Business as Usual)Forensics• Data Retrieval from hard drives, servers, laptops, cell

phones, etc.

• E-Discovery Service for Court Admissibility

Risk Management• Quantitative Threat and Risk Assessment (based on probabilities

and industry statistics

• Qualitative Threat and Risk Assessment (based on matrix

approach)

• Cloud Security Checklist

• Privacy Impact Assessments

• MTA (Maturity Threat Analysis)

• Information Security Framework Development

• Assessment and Review against ISO27k, NIST, CSF or CSC 20

• Policy, Process, Procedure and Documentation Development

Defensive Security (Blue Team)• Enterprise Network Security

• Network, Wireless and Security Architectural Design

• Perimeter and Data Center Security

• Data Loss Prevention and Data Encryption

• Email / Web Content Filtering and Malware Protection

• Secure Access and Authentication

• End Point Security and Encryption

• Wireless, BYOD and Network Access Control

• Security Hardening Standards and Guidelines

• Virtualization and Cloud Computing Standards and Guidance

• Security Awareness Training

Managed Services• Cyber Security Administration

• Perimeter Threat Prevention (firewall, IPS, anti-virus,

web application firewalls, etc.)

• 2-Factor Authentication

• Log Management

Page 49

• Proposed Tax Changes:

http://www.mnp.ca/en/posts/tax-changes-and-your-

family-business-what-you-need-to-know

• Impacts on Your Family Business:

http://www.mnp.ca/en/posts/tax-changes-and-your-

family-business-what-you-need-to-know

• Risk Management in Cyber Security:

http://www.mnp.ca/en/real-estate-and-

construction/risk-management-in-cyber-security

Page 50

50

Questions?

Danny Timmins

National Leader Cyber Security

Danny.Timmins@MNP.CA