Presentation at Networkshop46.
Phishing simulation exercises, by Michael Jenkins, Brunel University.
Rogue wifi - by Danny Moules, professional security services: security assessment specialist, Jisc
Implementing cyber essentials - Ged Nicholson, Hartlepool College of FE
3. EMAIL IS THE No 1 THREAT VECTOR
225B e mails per day
90% THREATS START BY E MAIL
99% OF HACKERS RELY ON USERS TO RUN
MALICIOUS CODE
IMPACTS:
MALWARE INFECTION / COMPROMISED ACCOUNTS / LOSS
OF DATA
Threats
using social
engineering
8. Spoofing E mail
addresses
The tools necessary to spoof email addresses are surprisingly easy to get. All you need is a working
SMTP server (aka, a server that can send email), and the right mailing software.
25. >WEP -> WPA (Personal+Enterprise) -> WPA2 -> WPA3
>Public WiFi -> Passworded WiFi (Open Wireless
Movement)
>WPS (WiFi “Protected” Setup)
>Ninety quadrillion* accredited Enterprise protocols:
>EAP-TLS
>EAP-TTLS/MSCHAPv2
>PEAPv0/EAP-MSCHAPv2
>PEAPv1/EAP-GTC
>PEAPv2/EAP-GCM
The state of the art
26. > Well-established attack tools
> airbase-ng (2004+)
> WiFi Pineapple® (2008+)
> Fluxion, etc, etc
> Mistaken identity
> Streamlined WiFi workflows hide underlying
network ‘complexity’ from user – Unable to
detect or respond
Wireless Access Point Spoofing (Rogue WiFi)
27. > Basic case: WPA2 PSK cracking or stolen via other channels
(e.g. guest client compromise)
> Mitigated by WPA2 Enterprise – but only if server certificate
verification is enforced. Hard & rare.
> WPA2 Enterprise only permits detection of direct spoofs by a
technical user – doesn’t prevent homograph attacks
> User already connected to the real network? Can’t break the key?
Certificate verification set up? Denial of Service.
> De-authentication
> Jamming
Wireless Access Point Spoofing
28. > Active Directory clients spew credentials over HTTP, SMB,
LDAP etc to anyone who asks nicely enough
> Spoofed relays can replay credentWials
> Spoofed services can crack passwords of most AD
networks (upgrade!)
> Phishing. Capture portals especially vulnerable – insecure
by design
> Network pass-through. Attacker can be connected to spoofed
network, providing realistic experience but introducing insecurities
at leisure
What are the risks?
29. > Easy for attacker. Tools are easy to use, documented,
and can be performed with nothing but a laptop or cheap
stand-alone hardware
> Problems of phishing compounded by trust in network,
Capture Portals, and promiscuous use of MITM attacks
as industry-standard practice
> Laptops are crammed full of credentials and can be
induced to give them up in myriad different ways, outside
of the protections of their normal business network
What are
the risks?
Attack Properties
30. > Not vulnerable to de-auth (in theory) – Hurrah!
> Jamming unaddressed
> Dragonfly protocol – secure key negotiation
> Enables public wifi without password
> No/limited security proof?
> Solves unencrypted data problem but doesn’t appear to add a
new authentication element. Easier to spoof than PSK? Watch
this space™
> Enables NFC-based setup – security properties unknown.
WPS all over again?
The Next Generation - WPA3
31. > Detection is very hard to achieve – de-auth fix is helpful but not
silver bullet
> Incident response is very hard – CERT/SIRT not much help here
> Credentials can be stolen or abused even outside your own
network – tighten your Group Policies!
> APTs targeting research can incorporate WiFi phishing in to all
sorts of complex social engineering scenarios with less fear than
other, better monitored, approaches
Residual Risks
32. > Not enough risk for ya?
> Swap WiFi hotspots for phone base stations and n^2
your threat model!
> Heard of Stingray? It’s not just for law enforcers!
> Not as mature as WiFi spoofing but maturing very rapidly
and nearing off-the-shelf use
> Current options for defenders?
1. Be paranoid & ahead of the curve
2. Adopt religion and pray
Not just
WiFi
Different, but the same
33. Except where otherwise noted, this work is licensed under CC-BY-NC-ND.
Danny Moules
Security assessment specialist
danny.moules@jisc.ac.uk
I have been…
One Castlepark, Tower Hill, Bristol, BS2 0JA
T 07867 552072
customerservices@jisc.ac.uk
jisc.ac.uk
36. The Cyber Essentials scheme has been developed by
the UK Government and industry to fulfil two functions
It provides a clear statement of the basic controls all
organisations should implement to mitigate the risk from
common internet based threats, within the context of the
Government’s 10 Steps to Cyber Security
And through the Assurance Framework it offers a
mechanism for organisations to demonstrate to
customers, investors, insurers and others that they have
taken these essential precautions
What is
Cyber
Essentials
37.
38. Five Key Controls
Boundary firewalls &
internet Gateways
Secure
configuration
Access control &
administration privilege
management
Patch
Management
Malware
Protection
39. > Self assessment questionnaire verified by
certification body
Which option
> Verification carried out independently by a
certification body
42. Accreditation Bodies
Direct - Portal
CE £300
CE+ ?
40 Questions
48 Suppliers
CE £300 +
CE+ £1250 +
34 Questions
Vulnerability
Scan Included
20 Companies
CE £250 +
CE+ £500 +
35 Questions
4
Companies
?
?
?
?
Direct + 143 Suppliers
CE £300 or £400
CE+ Varies
62 or 171 Questions
Bundle with IASME
governance & GDPR
assessments
cyberessentials.ncsc.gov.uk/getting-certified/
43. > Decide CE or CE+
> Select Certification Body through one of the Accreditation
Body
> Verify that your IT is Secure
> Write business scope
> Fill out Questionnaire
> Option – Arrange Vulnerability scan/Visit
> Buy picture frame and await for Certificate
> Renew after one year
Steps to
Certification
44. > Make sure you have the 5 key controls covered
> Review the questions before you start the process
> Take your time to selecting a accreditation and
Certification bodies
> Select which option is best for your needs CE or CE+
> Getting the Scope correct is vital especially for CE+
> Be prepared to justify your answers and results
Our
Experience
45. Limitations
Not designed for Education
Scheme not consistent
CE relies on the company honesty
Is only a snapshot in time
Can be expense for CE+
46. Is it worth the Time and Cost?
Good starting point for Cyber Security
Simple, straightforward and cost affective
certification process
Keeps management, auditors and insurers happy
47. Except where otherwise noted, this work is licensed under CC-BY-NC-ND.
Gerald Nicholson
IT manager
gerald.nicholson@hartlepoolfe.ac.uk
I have been…
Hartlepool College of Further Education, Stockton Street, Hartlepool, TS24 7NT
T 01429 404181
enquires@hartlepoolfe.ac.uk
www.hartlepoolfe.ac.uk
The video you are about to see is footage of a computer being infected with ransomware followed by extortion based on the publication of compromised confidential company information.
‘EAP’ stands for ‘EAP a hacker is looking at my data’. ‘PEAP’ stands for ‘EAP a hacker is PEAPing at my data’.
Explain MITM. Explain shift towards ease of usability and costs to security.
Start with note on public wifi, then head to basic PSK case.
Mention homograph edge-cases, general fiel
Government wanted to improve cyber security nationwide
GCHQ – 10 steps
Nothing available that met requirements
Worked with industry to develop scheme
Cyber essentials
Around since 2014
Basically what you need to do to stay safe and a mechanism for you to prove it to your suppliers/customers etc.
Very good
86 statements of what you need to implement – develop policy for updates and patch management, install firewalls, limit the use of remote media
Created spreadsheet to review and work through
to big for Cyber Essentials -key work Essentials
Network Security, segmented networks, secure wireless, Nat translation. DMZ,
Secure configuration – HW/SW inventory's, lock down OS/Apps, vulnerability scans, AppLocker
Managing user privileges - user creation/deletion automated?, password policy, limiting user privileges, monitoring user activity
Malware protection – software installed, scanning all systems, dedicated airgaped scanning machines usb, baseline security build for all new machines.
Patch Management – software licenced and supported, are os/app patched with 14 days, boyd policy for mobile devices,
CE – relies on you telling the truth – as simple as writing a business scope and answering the questionnaire
CE+ - site visit, vulnerability scan external and internal, and pc/mobile device checks can be 10% or individual type of machines
216 companies
APMG – Direct – quick 1 hour
Prices vary do it your self £300 includes vulnerability scan, £100 rescans it governance get a little help £550
IASME £300 or £400 with governance and GDPR 62 Q or 171 Q
Very varied approaches and advice given
This process most time consuming picking the right body and company
Internet facing, full org, finance, etc
Example questions
At least your have the answers