"The world isn’t run by weapons anymore, or energy, or money. It’s run by little ones and zeros, little bits of data." —Sneakers (1992)

In an era where countries are in a new arms race, not for territory or weapons but for computer hackers or attackers, war erupts. Some attackers are assigned to infiltrate foreign networks to expose and prevent terrorist attacks, while others are entrusted to compromise social security numbers and sell them to the highest bidder.

Computer security breaches worsen each year. In 2013, the total number of breaches was 62 percent higher than in 2012.¹ The trend continued in 2013-2014 with breaches on Fortune 500 companies, like Sony, Home Depot, Target and JPMorgan. Now, 2015 commenced with one of the worst breaches in the financial industry with the cyber attack involving the Carbanak malware. These are the incidents that make the headlines and remind us that computer security is real and needed.

As cyber attacks continue to occur, legislators and law enforcement agencies have begun to make cyber-crime law a focal point. The enactment of laws such as the USA Patriot Act allows U.S. law enforcement to monitor Internet communications to intercept and potentially prevent cyber attacks. When an attack of interest occurs, law enforcement officials will assign specialized investigators and digital forensics experts to the case in attempts to identify and prosecute the attacker(s).

With the large amount of sensitive and personally identifiable information (e.g., date of births, social security numbers and bank accounts) stored in a variety of computer environments, protection is crucial. This article discusses common attack methodologies, attack vectors and best practices to protect against these threats.

Common Methodologies and Attack Vectors

Attackers use a variety of techniques when infiltrating network environments. Each methodology is characterized by its unique set of challenges and is heavily dependent on the target environment. Some common attack vectors used to infiltrate environments involve outdated software, password security and social engineering.

Outdated Software

Attackers often begin by enumerating an environment for running services and/or software. If they identify an outdated service or software, research begins for existing vulnerabilities and exploits. An attacker will either create or modify an existing exploit for the computer system containing the outdated software. Once the attack is successfully executed, the attacker will obtain an entry point and possibly infiltrate the computer system in its entirety. A real world example of a compromise due to outdated software is the Sony PlayStation breach.

In 2011, attackers compromised approximately 77 million accounts from the Sony PlayStation network due to outdated software.² Attackers exploited the Apache³ service to infiltrate Sony’s networks, expose user credit card information and deny availability to the PlayStation network. Sony disclosed a $171 million loss due to the cyber attack.⁴

Password Security

According to SplashData’s research, the most common password for three consecutive years is 123456.⁵ An attacker with the latest password cracking hardware can crack that password in 0.0000111 seconds, if not faster. Users using this or similar passwords should change their passwords immediately.

Similar to the outdated software methodology, attackers will enumerate the network environment and services. Once a service requiring authentication is identified, an attacker will proceed to attempt to guess the password. An attacker usually begins by guessing default passwords for the respective service and then proceeds with the brute-force approach. Brute forcing in this context is an attempt to gain unauthorized access to a service using several password combinations along with automated tools. With the correct hardware, brute forcing can achieve over 1 billion password attempts a second.

Social Engineering

Social engineering is the use of influence and persuasion to manipulate individuals into disclosing sensitive information. Common methods of social engineering include pretext calling, phishing emails and USB drops.

Imagine attackers who can obtain passwords or even bank account information just by asking for them. This is the art of pretext calling. Pretext calling is a perfect example of how an attacker can obtain sensitive information without the use of technology. In 2011, Microsoft reported that several attackers were impersonating Microsoft representatives when pretext calling individuals.⁶ Attackers impersonating Microsoft representatives would call random individuals, notify them of their supposed computer infection and receive payment for “fixing the issue(s).”

Phishing emails look almost identical to their counterpart. Attackers can send emails designed to appear much like an official LinkedIn invitation or company announcement to lure individuals to provide sensitive information or install attachments. This was the root cause to the Target and recent Carbanak breach.

In December 2013, a Target contractor opened and installed a piece of malware sent as an email attachment that captured the contractor’s credentials and allowed attackers to infiltrate Target’s network environment. Ultimately, the breach resulted in the compromise of the credit and debit accounts of 40 million consumers.⁷ Similarly, attackers sent out phishing emails to multiple financial institutions worldwide. Attached to the email was the Carbanak malware.⁸ Once opened, it would infect networks, which later led to the $1 billion withdrawal.⁹

Perhaps one of the most effective types of social engineering attacks are USB drops, an attack that preys on curiosity. USB drives are placed or “dropped” in parking lots waiting for curious individuals to pick them up and insert them into their computers. Attackers have the ability to program USB devices to take control of a computer seconds after insertion, thus making this scenario feasible.

Best Practices

Whether in a professional work environment or home, it is imperative to protect one’s information. Below are some best practices to defend against common cyber threats.

Updating Software

Updating software is crucial in any given environment, because failing to apply patches and upgrades allows attack vectors to persist—much like in the Sony breach. Most software giants like Microsoft, Apple, Adobe and Java release software updates at least once a month. These updates commonly contain fixes to bugs or security issues.

In a work environment, policies should be implemented dictating when and how to update software. When at home, users should obtain notifications informing them of an available update. As an example, Microsoft Windows notifications usually alert a user of an update at the bottom right of the taskbar, in contrast to Apple, which presents update notifications at the top right of the screen. Be sure to keep your software up-to-date at all times, this includes anti-virus software.

Password Complexity

When creating passwords, use randomly generated complex passwords (e.g., b@?t:n0xFXvh). Password manager applications are those which assist with the creation, storage and encryption of passwords—they are highly recommended. Password managers solely require the remembrance of one password, the master password. It is important to ensure the implementation of a strong and complex master password, as it will be used to unlock all passwords within the encrypted storage container.

In contrast to passwords, passphrases are longer, composed of multiple words and thus are more secure. Those choosing not to use password managers, should use passphrases and ensure they meet the following criteria from SANS:¹¹

• Contains at least 12 alphanumeric characters
• Contains both upper and lower case letters
• Contains at least one number
• Contains at least one special character (e.g., !$%^&*()_+|~-=\`{}[]:”;’<>?,/)

In a work environment, the technical staff should develop and implement policies describing complexity, expiration and reuse requirements for passwords. It is important to note that a strong password may completely deter a brute-force attack.

Encryption

Anthem Health, one of the nation’s largest health care providers, recently revealed that attackers had compromised an estimated 80 million of its customer’s personal identifiable information.¹² At the time of writing this article, Anthem is working with federal law enforcement and has not disclosed the root cause of the attack, but one thing is clear: Attackers obtained the personally identifiable information due to insufficient encryption controls in place by Anthem.

Encryption distorts files and makes them unreadable to the unauthorized user, thus protecting their confidentiality. It is important to enable encryption on system hard drives with programs like BitLocker (Windows) and FileVault (Mac) to encrypt their respective file systems. In addition, documents containing sensitive information should be encrypted before stored or transferred.

In a work environment, solutions should be implemented to encrypt files in transit, at rest and encrypt computers’ complete file systems. At home, sensitive information should be saved as password protected documents (Microsoft Office has the ability to encrypt documents) or containers (e.g., zip files).

Security Awareness

Often times, organizations implement the latest technologies in attempts to secure their environment and keep attackers out. However, they forget one of the most important elements in security: the human element. This is where security awareness comes in.

Security awareness is a major key to preventing cyber threats. When speaking to an individual, confirm their identity and do not provide sensitive information over the phone—technical staff will never ask you for your password. Report suspicious calls to supervisors or the appropriate incident reporting group at work. This can help prevent a company-wide attack.

Phishing emails may be identified by carefully inspecting suspicious email headers as well as the purported identity of the sender. Attackers often use domain names that are similar to official ones, but with subtle differences. Only open email attachments when previously notified of receiving one—no matter how intriguing it looks. Again, one should forward suspicious emails to supervisors or the incident reporting group to confirm their legitimacy. Technical staff should have email solutions implementing advanced spam filtering, email security and more. At home, email providers, like Gmail, are starting to crack down on phishing and will alert users with a red banner.

In addition, do not pick up portable media such as USB drives. Research from the U.S. Department of Homeland Security concluded that 60 percent of individuals that picked up USB drives from parking lots plug them into computers.¹³

Lastly, think before you click. Do not click on non-reputable or untrusted website links, open email attachments or install programs from untrusted sources. In work environments, the technical staff should have implemented web filtering to reduce the chances of individuals visiting non-reputable websites. At home, install browser plugins like Web of Trust (WOT) to help identify safe/reputable websites.

Reporting Incidents

Computer systems might act sluggish at times during updates or heavy activity. However, if it has persisted for multiple days and abnormal behavior (e.g., pop-ups, unfamiliar installed applications, suspicious running processes) has developed, then it is time to report an incident.

When at home, report any suspicious activity to the Internet Crime Complaint Center (IC3). The IC3 was opened in 2000 by the FBI in collaboration with the National White Collar Crime Center (NW3C) to receive suspicious activities and/or complaints about Internet activities such as computer intrusion, espionage, extortion, money laundering, identity theft and more.¹⁴

At work, consult with computer security staff about a suspicious computer incident. If necessary, an incident response team will be notified to perform forensic analysis and investigation on the affected system(s). It is imperative to preserve a computer’s current state at the time of contacting the computer security staff until computer forensics is deemed necessary or not. Incident responders will decide the magnitude of the cyber attack and contact law enforcement as necessary. Law enforcement should be informed of an incident if it affects the security of several individuals, the nation and/or if it results in the “significant loss of data, system availability, or control of systems.”¹⁵

In addition, financial institutions can report suspicious activities to the Financial Crimes Enforcement Network (FinCEN) by creating a suspicious activity report (SAR). SARs include detailed financial activities such as transactions that appear to be suspicious. These reports assist federal law enforcement agencies with the investigation of possible fraud, money laundering, terrorism and more.

Apart from properly reporting incidents, industry recognized computer security consulting companies strongly recommend scheduling frequent assessments. These assessments will identify security vulnerabilities and/or missing best practices with the overall goal to increase the security posture within an organization.

An Era of Security

In the end, it is not about how many security products one purchases to keep safe, but about the process. It is the combination of products, their implementation and security awareness that improves an environment’s and ultimately one’s security.

With the awareness of common attack methodologies used by attackers and the knowledge from best practices, one now has the skillset to protect against cyber threats. However, there is so much more to be learned. Do not be discouraged from asking the computer security staff at work for more information on best practices.

As we continue to live in an era of cyber war, let us strive for increased and improved security awareness. Stay secure!

Jonathan H. Broche, consultant, Optiv Security, Miami, FL, USA, jbroche@accuvant.com

The views and opinions expressed in this article are solely of the author and do not necessarily reflect the views of Optiv Security, its affiliates or its employees.

1. Symantec, “2014 Internet Security Threat Report,” http://www.symantec.com/security_response/publications/threatreport.jsp
2. Kazuo Hirai to U.S. House of Representatives, “Letter to the U.S. House of Representatives,” May 3, 2011, https://www.flickr.com/photos/playstationblog/sets/72157626521862165/
3. Marc Perton, “Data security expert: Sony knew it was using obsolete software months in advance,” Consumer Reports, May 4, 2011, http://www.consumerreports.org/cro/news/2011/05/data-security-expert-sony-knew-it-was-using-obsolete-software-months-in-advance/index.htm
4. Jason Schreier, “Sony Estimates $171 Million Loss From PSN Hack,” Wired, May 23, 2011, http://www.wired.com/2011/05/sony-psn-hack-losses/
5. SplashData, “Worst Passwords,” January 20, 2015, http://splashdata.com/press/worst-passwords-of-2014.htm
6. Microsoft, “Microsoft issues warning on phone scam,” Microsoft, August 26, 2010, http://www.microsoft.com/australia/presspass/post/Microsoft-issues-warning-on-phone-scam
7. Brian Krebs, “Sources: Target Investigating Data Breach,” Kreb Security, December 13, 2014, http://krebsonsecurity.com/2013/12/sources-target-investigating-data-breach/
8. Kaspersky, “Carbanak APT The Great Bank Robbery,” February 1, 2015, https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf
9. “Carbanak,” Wikipedia, https://en.wikipedia.org/wiki/Carbanak#cite_note-SangerPerlroth20150214-2
10. Tom Crosson, “Cost of Target Data Breach Exceeds $200 Million,” Consumer Bankers Association, February 18, 2014, http://www.cbanet.org/News%20and%20Media/Press%20Releases%202014/02182014_pressrelease.aspx
11. SANS, “Password Construction Guidelines,” June 2014, https://www.sans.org/security-resources/policies/general/pdf/password-construction-guidelines
12. Reed Abelson and Matthew Goldstein, “Anthem Hacking Points to Security Vulnerability of Health Care Industry,” Business Day, February 5, 2015, http://www.nytimes.com/2015/02/06/business/experts-suspect-lax-security-left-anthem-vulnerable-to-hackers.html?_r=0
13. Cliff Edwards, “Human Errors Fuel Hacking as Test Shows Nothing Stops Idiocy,” Bloomberg Business, June 27, 2011, http://www.bloomberg.com/news/articles/2011-06-27/human-errors-fuel-hacking-as-test-shows-nothing-prevents-idiocy
14. IC3, http://www.ic3.gov/about/default.aspx
15. FBI, Law Enforcement Cyber Incident Reporting, http://www.fbi.gov/about-us/investigate/cyber/law-enforcement-cyber-incident-reporting
16. RCFL, http://www.rcfl.gov/about