Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Top 20 CIS Critical Security Controls (CSC) Through the Eyes of a Hacker – CSC 17
In this blog series, members of Optiv’s attack and penetration team are covering the top 20 Center for Internet Security (CIS) Critical Security Controls (CSC), showing an attack example and explaining how the control could have prevented the attack from being successful. Please read previous posts covering:
CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps
For all functional roles in the organization prioritizing those mission critical to the business and its security, identify the specific knowledge, skills, and abilities needed to support defense of the enterprise; develop and execute an integrated plan to assess, identify gaps, and remediate through policy, organizational planning, training, and awareness programs.
It’s commonly mentioned that the weakest part of any organization is the human element. These vulnerabilities are not always technical in nature. Organizations need to prepare employees with an adequate training program informing them of the dangers they may face in the workplace.
In a social engineering attack, an attacker will start by collecting all of the information they can about an organization from public sources (e.g., public websites, Internet mailing lists, social networks, etc.) There are many tools that can help with collecting this data. What follows are two examples used by Optiv for gathering email addresses from various sources, including LinkedIn.
Once the attacker has collected information on the organization, they will begin to build a profile to decide how best to target it. Common information the attacker would search for would be:
An attacker may use this information to execute a phone pretexting or spear phishing attack. Both of these attacks can be done remotely and are tailored for a specific target using the public information identified.
In a phone pretexting attack, the attacker will try to impersonate an employee, customer or vendor. Acting under a false identity, the attacker would call a specific target to extract sensitive information or convince the target to execute malicious software on the attacker’s behalf.
In a spear phishing attack, the attacker may use techniques such as spoofed emails and impersonation, and targets a specific individual or group within an organization. Depending on the organizations public exposure, an attacker may choose from a variety of exploitation scenarios. For example, if the organization exposes a single-factor authentication interface, such as a webmail service or, even worse, an SSL VPN, an attacker may try to influence the user into submitting their username and password to a website they control. For a more direct path into the network, an attacker may attempt to influence the user into opening a malicious attachment, such as a Macro enabled Microsoft Word document. Once an attacker has gained access to the target’s host or organization’s network, attackers will often either pivot further into the network in an attempt to access other hosts, or monitor the infected machine to determine its value to the attacker.
There are many different tools and techniques for crafting malicious emails and files. The following example showcases a tool, Phishery, developed by a member of the Optiv attack and penetration team, Ryan Hanson. This publicly available tool facilities a novel approach to credential harvesting. The process begins with Phishery modifying an existing Microsoft Word document by injecting a link to a remote template. Next, Phishery starts an HTTP server that will respond to that link. Once the document is opened by the victim, Microsoft Windows will automatically call out to Phishery’s HTTP server to load the linked template. The server is configured to respond in a way that tells Microsoft Windows to prompt for a username and password. Once the credentials are submitted, Phishery captures and logs them for the attacker.
Continual security awareness training for all employees is crucial in order to build a strong defense against social engineering attacks. Companies should develop and deliver enterprise-wide training that encompasses all employees, with clear instructions relating to existing policies and technologies. Such security awareness training should:
In addition to conducting regular training, organizations should occasionally conduct unannounced assessments, testing employees on their security awareness. This is typically accomplished through a simulated phishing attack, tracking which users click the link on a sample phishing message. By implementing training and unannounced testing, along with measurable metrics, an organization can develop a strategy to train employees about the dangers they may encounter while using the company’s technical assets.
Of course, security awareness training can go only so far, and no matter how well users are trained there is always a potential for failure. This is why it is important to apply a defense-in-depth approach using not only the solutions discussed in this control, but also the technical controls discussed earlier in this series.
The next post will cover CSC 18: Application Software Security.
Let us know what you need, and we will have an Optiv professional contact you shortly.