Security Leadership

The Critical Security Controls and Some

Recent Data Breaches
Get security leadership training at SANS Institute!
SEC566: Implementing and Auditing the Critical Security Controls

featured at featured at featured at

TA M PA 2 0 1 9 NETWORK SECURITY 2019 DENVER 2019
C le a r wate r, FL | A u g 2 5 -2 9 L a s Ve ga s , N V | Se pt 9 -1 3 D e nve r, CO | O ct 1 4 -1 8
About Me

• Chris Christianson
• SANS Instructor/Information Security Consultant
• [email protected]
• ismellpackets.com
• (707) 301-5649
• @cchristiason on

2
The Critical Security Controls

• Prioritized list of best practices for computer security

• Actions that organizations should take to prevent known
attacks

3
Some Recent Data Breaches

• Office of Personnel Management (OPM) (2014)

• WannaCry (May 2017)
• Equifax (Discovered July 29, 2017)
• SingHealth (Summer 2018)
• Marriott (Announced Nov 2018. 4 years to detect)
• Town of Salem (Dec 2018-Jan 2019)

4
Office of Personnel Management (OPM)

• US-CERT notifies OPM of

data being exfiltrated March
20, 2014
• OPM and US-CERT
attempted counterintelligence
of Hacker X1
• Hacker X2 used contractor’s
OPM credentials to log in the
OPM system, install malware
and create a backdoor

5
Office of Personnel Management (OPM)
Continued
• Hacker X1 gets dangerously
close to security clearance
background information
• ”The Big Bang” eliminates
Hacker X1 May 27, 2014
• Hacker X2 not detected
• Installed more malware on a
web server
• Registered malicious domain
name opmlearning.org

6
Office of Personnel Management (OPM) It Keeps
Going & Going
• Hacker X2 installs more malware
on systems in June 2014 and
establishes C2 channel
• July-August 2014 Hacker X2
exfiltrates the security clearance
data of 4.2 million personnel
• March 2015 registered another
domain name wdc-news-post.com
and used it as a C2 channel to
exfiltrate fingerprint data

7
Office of Personnel Management (OPM) Findings

• The committee found that

had the OPM implemented
basic, required security
controls and deployed more
security tools when they first
learned hackers were
targeting such sensitive data,
they could have delayed,
potentially prevented, or
significantly mitigated the
theft

8
Office of Personnel Management (OPM) Findings
Continued
• Statement from the report,
“OPM’s adoption of two-
factor authentication for
remote logons in early
2015, which had long been
required of federal
agencies, would have
precluded continued
access by the intruder into
the OPM network”

9
OPM & Controls

• CIS Control 4: Controlled

Use of Administrative
Privileges
• Sub-Control 4.5 - Use
Multifactor Authentication
For All Administrative
Access

10
WannaCry

• Attacks began May 12,

2017 in Asia
• Ransomware came as a
worm, not a virus
• Largely targeted Microsoft
systems
• Patch released two months
before initial attacks

11
WannaCry Continued

• Crippled hospitals, banks,

and other industries
around the world
• Encrypts data and
demands ransom
• U.S. blames North Korea
• Utilized tools initially
developed by the U.S.
government

12
WannaCry Impact

• Roughly 230,000 systems

breached
• Over 150 countries
• Several follow-on attacks

13
WannaCry & Controls

• CIS Control 3: Continuous

Vulnerability Management
• Sub Control 3.4 - Deploy
Automated Operating
System Patch
Management Tools

14
Equifax
• Attackers found Equifax servers visible from the
Internet
• Servers supported Equifax’s “online dispute” web
application
• Servers had Apache Struts vulnerability
• Patch had been released March 7, 2017
• Initial Breach occurred shortly after
• Equifax discovered breach July 29, 2017
• Data was exfiltrated from May 13, 2017 until July
30, 2017
• Reported the breach September 7, 2017
• 145 million victimized. 2 million more than initially
reported

15
Equifax & the Vulnerability

• Apache Struts CVE-2017-

5638: RCE
vulnerability
• Apache Struts is a framework
for developing Java-based
apps
• Vulnerability provided access
to multiple servers
• Some servers contained files
with valid Equifax credentials

16
Equifax & Controls
• CIS Control 3: Continuous
Vulnerability Management
• Sub-Control 3.5 - Deploy
Automated Software Patch
Management Tools
• CIS Control 16: Account
Monitoring and Control
• Sub-Control 16.3 - Require Multi-
factor Authentication
• Sub-Control 16.4 - Encrypt or Hash
all Authentication Credentials
• CIS Control 19: Incident Response
and Management

17
SingHealth

• Compromised personal
data of 1.5 million patients
• Compromised outpatient
medical data of 160,000
patients that visited 4
public hospitals, nine
polyclinics, and 42 clinical
specialties

18
SingHealth Continued

• Customized malware
• Workstation was running a
version of Microsoft Outlook
that was not patched
• Local Administrator account
used “P@sswOrd”
• Used Administrator accounts
to remotely log into Citrix
servers

19
SingHealth Fallout
• Two employees fired for negligence
• The Citrix Team Lead had the
technical capabilities, but his
"attitude" towards security and
management of systems introduced
unnecessary risks
• The Security Incident Response
Manager failed to comprehend
what constituted as a "security
incident" and did not raise the
alarm despite repeated alerts from
staff

20
SingHealth Fallout Continued
• Five members of the IHIS
senior management team,
including the CEO, were
slapped with "a significant
financial penalty" for their
"collective leadership
responsibility
• IHIS added that a "moderate
financial penalty" will be
imposed on two middle
management supervisors who
were responsible for the two
employees sacked

21
SingHealth & Controls

• CIS Control 4: Controlled

Use of Administrative
Privileges
• Sub-Control 4.4 - Use
Unique Passwords
• Sub-Control 4.5 - Use
Multifactor Authentication
For All Administrative
Access

22
Marriott
• Attackers have had access to the
reservation systems of many of its
hotel chains for the past four years
• Breach involved the reservation
system for Marriott’s Starwood
subsidiaries
• 500 million affected
• Names, addresses, credit card
numbers and phone numbers and
passport numbers, travel locations
and arrival and departure dates

23
Marriott Continued
• An internal security tool flagged
unauthorized activity on September 8,
2018. Further investigation found that the
attackers had accessed the information,
encrypted it and attempted to remove it
• It took Marriott until late November to
decrypt the information
• Encryption was used to protect credit card
numbers but a company spokesperson
declined to comment on whether other PII
was encrypted
• Marriott acknowledged that a possible
failing in the encryption it had for credit
card numbers, saying that it could not “rule
out the possibility” that encryption keys
were taken by the attackers

24
Marriott Fallout

• GDPR fine of $123M

25
Marriott & Controls

• CIS Control 6:
Maintenance, Monitoring,
and Analysis of Audit Logs
• Sub-Control 6.7 -
Regularly Review Logs

26
Town of Salem
• A hacker stole the information of 7.6
million users of the game "Town of Salem"
BlankMediaGames admitted January 2,
2019 in a blog post
• The hack came to light after a a unknown
person sent a copy of the stolen data to
DeHashed, a commercial data breach
indexing service
• DeHashed spent the holidays trying to
contact BMG and alert the game maker of
the hack and its still-compromised server
• The hacked servers were finally secured
and "multiple backdoors removed" the
beginning of January

27
Town of Salem & the Controls

• CIS Control 19: Incident

Response and
Management
• Sub-Control 19.4 - Devise
Organization-wide
Standards for Reporting
Incidents

28
CIS Critical Security Controls
1: Inventory and Control of Hardware
Assets
2: Inventory and Control of Software Assets
3: Continuous Vulnerability Management
4: Controlled Use of Administrative
Privileges
5: Secure Configurations for Hardware &
Software on Mobile Devices, Laptops,
Workstations, & Servers
6: Maintenance, Monitoring & Analysis of
Audit Logs
7: Email & Web Browser Protections
8: Malware Defenses
9: Limitation & Control of Network Ports,
Protocols, &Services
10: Data Recovery Capabilities
11: Secure Configuration for Network
Devices, such as Firewalls, Routers
and Switches
12: Boundary Defense
13: Data Protection
14: Controlled Access Based on the
Need to Know
15: Wireless Access Control
16: Account Monitoring and Control
17: Implement a Security Awareness
and Training Program
18: Application Software Security
19: Incident Response and
Management
20: Penetration Tests and Red Team
Exercise
29
Conclusion

• We can never prevent all

attacks but implementing
the Critical Security
Controls can help
• The Critical Security
Controls really give us a
strategy defense

30
 Security Leadership

Thank you for attending!

Questions?
Get security leadership training at SANS Institute!
SEC566: Implementing and Auditing the Critical Security Controls

featured at featured at featured at

TA M PA 2 0 1 9 NETWORK SECURITY 2019 DENVER 2019
C le a r wate r, FL | A u g 2 5 -2 9 L a s Ve ga s , N V | Se pt 9 -1 3 D e nve r, CO | O ct 1 4 -1 8