We Welcome You To The 7th Annual Hacking Conference
We Welcome You to the 7th Annual Hacking Conference
How to Claim CPE CreditVisit https://iiachi.cnf.io or scan QR Code BelowCPE linkCodeshaken
My Favorite Hacking Exploits and What You Can Do To Detect or Prevent Them!Abstract/Topic:History teaches us that seemingly impregnable security measures can be breached by clever attackers. The same holds true forcybersecurity. A clever cybercriminal or nation-state can often side step an organization's regulatory IT security controls (e.g., GLBA,HIPAA, PCI, SOX) and implemented "defense-in-depth" security products in order to "capture the flag". This two part presentation willpresent several hacking exploits that I often use during a penetration test or cyber-attack simulation broadly explore how to deny anattacker the opportunity to successfully complete an exploit. With this knowledge, organizations can begin plugging their security holesthat determined cyber-attackers strive to discover.At the end of you this presentation, you will: Understand why regulatory security controls and defense-in-depth security products may be insufficient for broadly protectingcomputers, mobile devices and applications from determined cyber-attackers. Understand the kinds of exploits that cyber-attackers are using to side-step implemented security controls. Understand the need to think "outside-the-box" in order to discover potential exploits on that may be used by cyberattackers. Learn techniques for denying cyber-attackers the opportunity to successfully perform a cybercrime.Ken’s Bio:Ken Zoline is a senior manager in Baker Tilly’s technology risk services practice focusing on cybersecurity, risk, vulnerability andcompliance assessments as well as cyber-attack simulations and penetration testing. He has twenty-two years of advisory experiencein security and networking, four years of director-level experience developing and managing a cybersecurity and risk managementprogram for SPSS (acquired by IBM), and four years of security operations management experience working for IBM Global TechnologyServices. Additionally, Ken has taught college-level courses in cybersecurity, cybercrime and networking.
My favorite hacking exploitsand what you can do to detector prevent them!Kenneth Zoline, CISSPBaker Tilly US, LLPNovember 11, 2020
WITH YOU TODAYMeet your presenterKenneth Zoline, CISSPSenior Managerken.zoline@bakertilly.comKen Zoline is a senior manager in Baker Tilly’s technologyrisk services practice focusing on cybersecurity, risk,vulnerability and compliance assessments as well ascyberattack simulations and penetration testing. He hastwenty three years of advisory experience in security andnetworking, four years of director-level experiencedeveloping and managing a cybersecurity and riskmanagement program for SPSS (acquired by IBM), and fouryears of security operations management experienceworking for IBM Global Technology Services. Additionally,Ken has taught college-level courses in network security,cybersecurity and cybercrime.5
OVERVIEWPresentation abstract— History teaches us that seemingly impregnable security measures can be breached by cleverattackers. The same holds true for cybersecurity.— A clever cybercriminal or nation-state can often side step an organization's regulatory ITsecurity controls (e.g., GLBA, HIPAA, PCI, SOX) and "defense-in-depth" security in order to"capture the flag".— Part 1 of my presentation will present several hacking exploits that I often use during apenetration test or cyberattack simulation to accomplish the following goals: (1) Take controlof a computer; (2) Use it to locate valuable information; and (3) Exfiltrate the targetedinformation. Recommendations for detecting and preventing the demonstrated exploits willbe offered.— Part 2 of my presentation will more broadly explore how to deny an attacker the opportunityto successfully complete an exploit. With this knowledge, organizations can begin pluggingtheir security holes that determined cyberattackers strive to discover.6
OVERVIEWLearning objectives1.Understand why regulatory IT security controls and defense-in-depth securitymay be insufficient for broadly protecting computers, mobile devices andapplications from determined cyberattackers.2.Understand the kinds of exploits that cyberattackers are using to side-stepimplemented security controls.3.Understand the need to think "outside-the-box" in order to discover potentialexploits that may be used by cyberattackers.4.Learn techniques for denying cyberattackers the opportunity to successfullyperform a cybercrime.7
IntroductionWhy can an attacker side-step your implemented security controls?8
INTRODUCTIONBest laid plans often go astray— Security controls are like fortifications – well designed defenses tokeep something or someone safeThe Breach of TroyTarget Data BreachThe Breach of Fort Eben-Emael— Yet they sometimes fail because a well conceived attack is carriedout that the implemented defense cannot handle due to anunderlying vulnerabilityoften an oversight or an unintended consequence9
INTRODUCTIONVulnerabilities The bane of security— Workforce susceptibility to social engineeringattacks that prey upon human naturePeople— Policy coverage, focus and deployment issuesProcess— Security gaps in deployed protection technology Defense-in-depth tries to mitigate this but may not— Other issues:Technology Regulatory IT controls may be insufficient for protectingall IT assets due to their limited scopeConfidentiality / Possession / Integrity / Authenticity / Availability / Utility10
Part 1: My favorite exploits11
Let’s pretend that I am a cybercriminal Good morning Mr. Sutton International Widget’s successis crushing our client’s efforts to gain competitiveadvantage in the market place. Your assignment is to stealInternational Widget’s customer data base and maintainpersistence for later missions. All needed information foraccomplishing this mission has been provided to you. Asalways, if you are discovered or caught, we will disavow anyknowledge of your actions. This message will self-destructin 5 seconds. Good luck, Willie12
Mission impossible— Goal: Steal customer data fromInternational Widget’s CustomerResource Management (CRM)system— Approach: Step 1: Take remote control of acomputer Step 2: Acquire needed usercredentials to remotely accessthe CRM system Step 3: Login to the CRM systemusing stolen credentials to graband exfiltrate the customer data13
Mission plausible— “My Favorite Exploits” are tools and techniques that I use to attack a systemand compromise its security Focused on Step 1a belowMovelaterallyMaintainpresenceStep2bInitial reconInitial sStep 1aStep 1bStep 2aInternalreconComplete missionStep 314
Step 1a: Initial system compromise— Goal Take remote control of a computer that can be used to reach the CRM system.— Approaches1.Exploit a VLC media player vulnerability to open a remote control window2.Use a USB Rubber Ducky to open a remote control window3.Leverage local physical presence to login to a computer using stolen credentials andopen a remote control window4.Many other approaches can be considered, including US-CERT’sTop 10 Routinely Exploited ts/aa20-133a)15
STEP 1A – INITIAL SYSTEM COMPROMISEExploit 1: VLC media player opens a remotecontrol window— Targeted Vulnerabilities Software: CVE-2018-11529 VideoLAN (VLC) media player 2.2.x is prone to a use after free vulnerability which anattacker can leverage to execute arbitrary code via crafted MKV media files VLC is seemingly never updatedSecurity misconfiguration Windows AutoPlay allows VLC to play MKV media files without user interaction We can connect to an external command-and-control site without intervention Human: susceptibility to social engineering16
STEP 1A – INITIAL SYSTEM COMPROMISEExploit 1: VLC media player opens aremote control window cont’d— Approach Prepare malicious video file containing remote control payload Payload selection/obfuscation is critically important in order to evade malware defense! Do the following: Drop a USB stick (or CD/DVD) containing malicious media file Send enticing email containing: An attachment – the malicious media file A link to the malicious media file at a fake website that mimics a trusted oneWait for a remote control window to appear on MY COMPUTER!17
STEP 1A – INITIAL SYSTEM COMPROMISEExploit 1: VLC media player opens aremote control window cont’d— Detection Monitor and review persistent network connections Monitor Windows computers’ system and application logs— Prevention Patch VLC media player! Conduct security awareness training for this kind of exploit Use an isolated virtual desktop computer to play untrusted media files Implement an Internet proxy server to control outbound connections18
STEP 1A – INITIAL SYSTEM COMPROMISEExploit 2: Rubber ducky opens aremote control window— Targeted Vulnerabilities Human Error / Security Misconfiguration Windows’ console is unlocked Security Misconfiguration Window allows USB Rubber Ducky (“Human Interface Device”) to be connected We can connect to an external command-and-control site without challenge— Approach Insert the USB Rubber Ducky into an open USB slot on a running Windowscomputer for 3 seconds and then remove19
STEP 1A – INITIAL SYSTEM COMPROMISEExploit 2: Rubber ducky opens aremote control window cont’d— Detection Monitor and review persistent network connections Monitor Windows computers’ system logs Look for rapid USB HID device insertion and removal Review host command history Review malware defense and host intrusion detection/prevention logs20
STEP 1A – INITIAL SYSTEM COMPROMISEExploit 2: Rubber ducky opens aremote control window cont’d— Prevention Do not leave running computers in anunlocked state. Use the “Windows-L” keystroke to lockthe computer’s console Implement an Internet proxy server tocontrol outbound connections21
STEP 1A – INITIAL SYSTEM COMPROMISEExploit 3: Steal credentials, login and open aremote control window— Targeted Vulnerabilities Physical Security / Human We can physically access a computer inside the office We can install a keylogger on a USB keyboard that goes unnoticed Choice 1: Keylogger is a USB extension cable Choice 2: Keylogger is a small USB plug Option: Harvest keylogger using Wi-FiSecurity Misconfiguration We can connect to an external command-and-control site Wi-Fi (if used) is not detected22
STEP 1A – INITIAL SYSTEM COMPROMISEExploit 3: Steal credentials, login andopen a remote control window cont’d— Approach1. Use social engineering to gain physical access2. Plant USB keylogger on targeted device3. Return later to do the following: Harvest credentials Login to the computer using the stolen credentials Open a remote shell using the Rubber Ducky (exploit #2) Remove the USB keylogger and replant it elsewhere ifneeded23
STEP 1A – INITIAL SYSTEM COMPROMISEExploit 3: Steal credentials, login andopen a remote control window cont’d— Detection Monitor and review persistent external network connections Perform routine visual inspection of host devices’ USB ports Enable Wi-Fi SSID monitoring or perform a recurring review— Prevention Conduct security awareness training for this kind of exploit Attempt to block rogue USB devices Attempt to locate/remove unauthorized Wi-Fi access points24
Recap Step 1a: Initial system compromise— What have I accomplished so far? I have compromised a computer I have opened a remote control connection between the compromised computerand my command-and-control computer— And I may have acquired one or more users’ login credentials formasquerading as them later in the attack!25
Step 1b: Establish foothold— Goals1. Establish a persistent remote control capability that cansurvive logoff (power-off) / (power-on) logon cycles Remote control session must be initiated by thecompromised computer2. Disable malware defense This can be accomplished using: The Windows command line The malware defense GUI Other, more advanced methods26
Step 1b: Establish foothold cont’d— Detection Remote control Monitor and review persistent network connections Monitor registry updates Monitor new scheduled tasks Malware defense Review Windows system and malware defenselogs27
Step 1b: Establish foothold— Prevention General Do not grant local administrative access privileges tocomputer users Implement non-persistent virtual desktops for end-usercomputing Remote control Restrict access to the Windows registry and taskschedulerMalware defense Do not allow malware defense to be disabled bycomputer users28
Step 2a: Escalate privileges— Acquire credentials to access the CRM system— Immediate Goal: Acquire the local Administrator’s credentials Why? The same local Administrator account is likely deployed on every computer inthe enterprise! Use these credentials to acquire other recently logged-in users’ credentials— Approach (greatly simplified)1. Escalate privileges to dump the computer’s password file2. Acquire the password hash for the local Administrator’s account29
Step 2a: Escalate privileges— Detection Monitor and review persistent external network connections Monitor Windows system log events Monitor Windows PowerShell usage— Prevention Don’t grant “local administrator” privileges to end-users! Doing so facilitates the “Pass-the-Hash” hacking technique Do not cache user credentials on the computer Implement Microsoft’s Local Admin Password Solution (LAPS)30
Step 2b: Internal recon, move laterally, establishpersistence, escalate privileges— Acquire credentials to access the CRM system Have local Administrator credentials (via pass-the-hash)— Goal: Acquire needed credentials to masquerade as a CRMuser and needed information to access the CRM system— ApproachSearch for targets to visit (internal reconnaissance) Visit targeted computers to harvest credentials (move laterally) Leave “open backdoors” as needed (establish persistence) Acquire “domain administrator” credentials (escalate privileges) 31
Step 3: Complete the mission— Do the following to complete the mission: Login to CRM system masquerading as an authorized CRM user Grab customer data using a standard report or data base query Use an implemented back channel to securely exfiltrate the data— Detection Monitor and review persistent external network connections Monitor application logins and transaction activity— Prevention Implement multi-factor authentication32
Recap – What happened?I bypassed many implementedsecurity controls!33
Recap – What happened?1. Used social engineering to gain remote access to a computer system2. Escalated privileges to acquire the local administrator’s credentials3. Leveraged the local administrator’s credentials to acquire othercomputer users’ credentials including the domain administrator and anauthorized CRM user4. Remotely accessed the CRM application as a legitimate user viainternal communication and stole information (Objective #1)5. Planted persistent backdoors and acquired domain administratorcredentials for later attacks (Objective #2)34
Part 2: What can you do to betterprotect your organization?35
Five tactical recommendations(Low hanging fruit)1.Make computer users aware of plausible exploits through security awarenesstraining2.Do not grant “local administrator” privileges to computer users3.Implement Microsoft Local Administrator Security (LAPS) to randomize the localadministrator’s password on all Windows computers4.Implement Windows PowerShell security and logging to restrict and detect theits nefarious usage5.Implement multi-factor authentication to protect critical information systemsand data bases36
Ten strategic recommendations tobetter protect your organization1. Program: Develop, document, implement and maintain acomprehensive cybersecurity program2. Ownership: Employ/contract a qualified individual or third-party who ischarged to develop, implement, maintain and operate the cybersecurityprogram3. Awareness: Rigorously address workforce security awareness on anongoing basis4. Vigilance: Identify and mitigate vulnerabilities on an ongoing basis37
Ten strategic recommendations tobetter protect your organization cont’d5. Oversight: Oversee the security arrangements of contracted businesspartners, business associates and service providers6. Preparedness: Have documented and tested procedures forresponding to (and recovering from) security incidents including databreaches7. Illumination: Hire an independent and well-qualified third-party toconduct a comprehensive cybersecurity assessment on a recurringbasis (see next slide)38
Comprehensive cybersecurity assessment1. Internet Reconnaissance to discover open-sourceinformation known to attackers1. InternetReconnaissance2. Vulnerability Discovery to holistically identify,categorize and prioritize security weaknesses3. ThreatModeling2. nning4. CyberattackSimulation5. Assessment3. Threat Modeling to identify attack vectors and thevulnerabilities that may be exploited4. Cyberattack Simulation to interactively assess:— Control design and effectivenessNotcommoditypenetrationtesting— The organization’s ability to detect, prevent and respondto cyberattack phases— Plausible attack likelihood and impact5. Assessment to identify gaps, maturity and risk39
Ten strategic recommendations tobetter protect your organization cont’d8. Protection: Identify and manage organizational cyber risks that arethe result of ineffective, immature or missing cybersecurity practicesand controls9. Assurance: Audit the implementation of these strategicrecommendations (1-8)10. Governance: Actively govern cybersecurity and cyber risk from thehighest level within the organization (see next two slides)40
Board of Directors’ Responsibilitiesfrom the National Association of Corporate Directors (NACD)“Director’s Handbook on Cyber-Risk Oversight”Five core principles:1. Directors need to understand and approach cybersecurity as anenterprise-wide risk management issue, not just an IT issue.2. Directors should understand the legal and regulatory implications ofcyber risks as they relate to their company’s specific circumstances.3. Boards should have adequate access to cybersecurity expertise, anddiscussions about cyber-risk management should be given regularand adequate time on the Board meeting agenda.41
Board of Directors’ Responsibilities cont’d4. Directors should set the expectation that management will establishan enterprise-wide risk management framework with adequatestaffing and budget.5. Board-management discussion of cyber risk should includeidentification of which risks to avoid, accept, mitigate, or transferthrough insurance, as well as specific plans associated with eachapproach.42
Closing remarks— For as long as the Internet exists, organizations that are connected tothe Internet and people that use the Internet will be targeted byattackers— By governing cybersecurity and illuminating your attack surface, youcan develop a risk-prioritized approach for treating vulnerabilities andcontrolling threats— In so doing, you will make it harder for attackers to find exploitablevulnerabilities and commit a cybercrime.43
My favorite hacking exploits and what youcan do to detect and prevent them!Questions?For further information, contactken.zoline@bakertilly.comThe information provided here is of a general nature and is not intended to address the specific circumstances of any individual or entity. In specific circumstances, the services of a professional should be sought. Tax information, if any, contained in thiscommunication was not intended or written to be used by any person for the purpose of avoiding penalties, nor should such information be construed as an opinion upon which any person may rely. The intended recipients of this communication and anyattachments are not subject to any limitation on the disclosure of the tax treatment or tax structure of any transaction or matter that is the subject of this communication and any attachments. Baker Tilly US, LLP trading as Baker Tilly is a member of the global network ofBaker Tilly International Ltd., the members of which are separate and independent legal entities. 2020 Baker Tilly US, LLP44
How to Claim CPE CreditVisit https://iiachi.cnf.io or scan QR Code BelowCPE linkCodeshaken
Use a USB Rubber Ducky to open a remote control window 3. Leverage local physical presence to login to a computer using stolen credentials and open a remote control window 4. Many other approaches can be considered, inclu
May 02, 2018 · D. Program Evaluation ͟The organization has provided a description of the framework for how each program will be evaluated. The framework should include all the elements below: ͟The evaluation methods are cost-effective for the organization ͟Quantitative and qualitative data is being collected (at Basics tier, data collection must have begun)
Silat is a combative art of self-defense and survival rooted from Matay archipelago. It was traced at thé early of Langkasuka Kingdom (2nd century CE) till thé reign of Melaka (Malaysia) Sultanate era (13th century). Silat has now evolved to become part of social culture and tradition with thé appearance of a fine physical and spiritual .
On an exceptional basis, Member States may request UNESCO to provide thé candidates with access to thé platform so they can complète thé form by themselves. Thèse requests must be addressed to esd rize unesco. or by 15 A ril 2021 UNESCO will provide thé nomineewith accessto thé platform via their émail address.
̶The leading indicator of employee engagement is based on the quality of the relationship between employee and supervisor Empower your managers! ̶Help them understand the impact on the organization ̶Share important changes, plan options, tasks, and deadlines ̶Provide key messages and talking points ̶Prepare them to answer employee questions
Dr. Sunita Bharatwal** Dr. Pawan Garga*** Abstract Customer satisfaction is derived from thè functionalities and values, a product or Service can provide. The current study aims to segregate thè dimensions of ordine Service quality and gather insights on its impact on web shopping. The trends of purchases have
Chính Văn.- Còn đức Thế tôn thì tuệ giác cực kỳ trong sạch 8: hiện hành bất nhị 9, đạt đến vô tướng 10, đứng vào chỗ đứng của các đức Thế tôn 11, thể hiện tính bình đẳng của các Ngài, đến chỗ không còn chướng ngại 12, giáo pháp không thể khuynh đảo, tâm thức không bị cản trở, cái được
More than words-extreme You send me flying -amy winehouse Weather with you -crowded house Moving on and getting over- john mayer Something got me started . Uptown funk-bruno mars Here comes thé sun-the beatles The long And winding road .
Le genou de Lucy. Odile Jacob. 1999. Coppens Y. Pré-textes. L’homme préhistorique en morceaux. Eds Odile Jacob. 2011. Costentin J., Delaveau P. Café, thé, chocolat, les bons effets sur le cerveau et pour le corps. Editions Odile Jacob. 2010. Crawford M., Marsh D. The driving force : food in human evolution and the future.
