Security Summit: Defence strategies, from someone who robs banks
There is one important rule for every organisation and every individual: don't think that you're not in danger of being targeted by criminals. You are. No one wants to assume the worst case is happening to them, but it does. Everyone needs to get past that notion.
So said Jayson Street, infosec ranger at Pwnie Express, during his keynote on "Strategies on securing your banks and enterprises, from someone who robs banks and enterprises", at ITWeb Security Summit 2017, this morning, at Vodacom World in Midrand.
He said humans are terrible at risk management. Everyone is worried about zero days, but let's face it, you'll be phished long before you get hit by a zero day, he commented.
Then there's the question of who's coming after you, he added. "We'd all like to think it's a nation state. But not really. Unless you're the Pope or own a centrifuge, it's not them. It's not hacktivists either. Who else could it be, hacktivists? Not so much. They're not that organised."
So who is your attack vector? "Criminals. Criminals who want to rob you for money. They are not hackers. They are criminals. Start protecting yourself from them. Unfortunately, these criminals may well have nation state technology, but they are still just criminals."
If someone wants to breach an organisation badly enough, they will, Street said. "The longest I've taken to compromise a company was 1h45 minutes. You can't control being attacked; it's how you respond to it that defines you."
Breaching a big five bank
Upon coming to SA, Street decided to see if he could breach one of the country's biggest banks. The first step is Googling 'SA's big five banks'. It's easy, he said. On their landing page, there is already a smorgasbord of information that makes them an attractive target. "Starting with the line: 'One of SA's wealthiest banks.' Moreover, there is plenty of other information, and links to social media accounts that can be used to socially engineer the organisation."
Criminals may well have nation state technology, but they are still just criminals. ? Jayson Street, Pwnie Express.
Information is freely available online, he noted. It's easy to phish someone. If, for example, an individual has pics on his Instagram with his daughter, it's easy to send them a mail that appears to be from a trusted source, asking about his daughter by name, and it will lend credibility to the phishing mail, and make him think the mail is legitimate.
"Look at their Twitter account, and look at who they follow. Send that guy a DM message that compromises his account, then use that to compromise the bank."
In terms of defence, never put a real person's name and contact details in the 'contacts' section. "It's a good start for a social engineer to gain a foothold. Always use a generic contact address."
Think like an attacker
In addition, he advised that security teams should be taught to look at the site in an offensive manner. "Look at your site like an attacker would. You're not trying to keep honest people out, but think about any vulnerabilities that would let an attacker in. Also, stop trusting your network."
You can't control being attacked; it's how you respond to it that defines you. ? Jayson Street, Pwnie Express.
Employees also need to be treated as part of the security team. "If they are not educated about phishing, how can you prevent them from clicking on malicious links?"
Finally, Street said: "Stop living in a world where you think no one is trying to attack you. You may live in a nice neighbourhood, and if you pop down to the shops for a few minutes, your neighbours will keep an eye out. When you're online, your neighbours are China, Russia... They're looking for a way in. Don't give it to them."