Send the link below via email or IMCopy
Present to your audienceStart remote presentation
- Invited audience members will follow you as you navigate and present
- People invited to a presentation do not need a Prezi account
- This link expires 10 minutes after you close the presentation
- A maximum of 30 users can follow your presentation
- Learn more about this feature in our knowledge base article
Transcript of ACG6415 Introduction
Advanced Information Systems
Introduction to IT Security
Lets take a look at what CPA's are thinking
AICPA Top Technology Initiative
Conducted over the last 25 years
IT Section members
Certified Information Technology Professional (CITP) credential holders
Select CPAs (North America)
“technology issues that are of greatest importance over the next 12 – 18 months as well as emerging technologies on the horizon”
#1 Control and Use of Mobile Devices
“The surging use of smartphones and tablets means people are doing business, exchanging sensitive data wherever, whenever they want to,” said Ron Box, CPA/CITP, CFF. “The technology is advancing so rapidly that the capabilities for controlling and protecting the information on mobile devices is lagging behind. What was once as simple as losing your phone, could now create an enormous security risk for organizations.”
#2 Information Security
#1 Security of data, code & communications / data security & document retention / security threats.
Proper Information Security Management protects the integrity, confidentiality and availability of information in the custody of an organization and reduces the risk of information being compromised.
#4 Secure electronic collaboration with clients – client portals
Portals enable employees, customers, vendors, and other contacts to securely access and share information and documents. Collaboration tools allow multiple users to work together on files of all kinds.
#6 Laptop security / encryption
Stored data can be altered to commit fraud, intercepted by an unscrupulous person en route and altered, and laptops storing vast amounts of confidential information can be lost or stolen.
2003 - 2009
#1 Information Security Management
#2 Privacy Management
#3 Secure Data File Storage, Transmission and Exchange
Do you see a Trend Here?
In 2010 & 2011 the survey also asked:
AICPA members to rank a list of questions heard most often from audit committees, chief financial officers and chief information officers. I’m guessing you will not be surprised to find that in 2010 the #1 and #2 overheard question were:
Are we ensuring that our data and technology resources are protected against hacking, viruses, or other compromises?
Are we considering or implementing organizational security precautions even though we haven’t had a data breach or loss?
Is our information security policy adequate?
Are we ensuring that our data and technology resources are protected against hacking, viruses or other compromises?
And in 2011 they were:
Stuxnet is the name given to a computer worm, or malicious computer program, that began to spread in mid-2009. It may [be] the most sophisticated cyberweapon ever deployed. (NY Times, Stuxnet Page)
A brief digression
Stuxnet was able to take over the computers inside some Iranian facilities that controlled the centrifuges. The computers used in Iran were manufactured by Siemens corporation and in 2008 Siemens allowed the United States to test these machines for vulnerabilities. Using either infected e-mail or a USB device the malware was designed to specifically target only the type of Siemen control computers that were involved with the centrifuges.
“HBGary, Inc. was founded to provide tools and services to serve the American government and employers who need to protect their assets and information from espionage and international and domestic terrorism. Numerous HBGary principals and employees have proudly served the American military and intelligence agencies and have great pride in the Internet security work that they do to protect American assets and American employers.”
OK so sounds like we should ask them to guest lecture right?
As described in an article by Peter Bright of artstechnica.com (2011), “HBGary's servers were broken into, its e-mails pillaged and published to the world, its data destroyed, and its website defaced. As an added bonus, a second site owned and operated by Greg Hoglund, owner of HBGary, was taken offline and the user registration database published”.
In short a SQL injection allows a user with access to a web-based form used usually to input data into a system to insert code to control the underlying database (deleting it, retrieving information from it, changing data, etc., depending on the code inserted).
Escaped PHP code:
$Nid = mysql_real_escape_string($_POST["id"]);
$Avatar = mysql_real_escape_string($_POST["AVName"] ." Resident");
$Twitter = mysql_real_escape_string($_POST["TwitterAcct"]);
$Email = mysql_real_escape_string($_POST["Email"]);
Usernames, e-mail addresses & passwords were stolen but...
Passwords were stored as a hash
But it was a weak hash, one that is easily cracked
The CEO and COO used only
6 digit lowercase letter passwords
The same weak, stolen and cracked passwords were used for E-mail, Twitter and Linkedin
Subject: need to ssh into rootkit
im in europe and need to ssh into the server. can you drop open up firewall and allow ssh through port 59022 or something vague?and is our root password still 88j4bb3rw0cky88 or did we change to 88Scr3am3r88 ?thanks
Subject: Re: need to ssh into rootkit
hi, do you have public ip? or should i just drop fw?and it is w0cky - tho no remote root access allowed
Subject: Re: need to ssh into rootkit
no i dont have the public ip with me at the moment because im ready for a small meeting and im in a rush.if anything just reset my password to changeme123 and give me public ip and ill ssh in and reset my pw.
Subject: Re: need to ssh into rootkit
ok,it should now accept from anywhere to 47152 as ssh. i am doing testing so that it works for sure.your password is changeme123 i am online so just shoot me if you need something.in europe, but not in finland? :-)
Subject: Re: need to ssh into rootkit
if i can squeeze out time maybe we can catch up.. ill be in germany for a little bit.anyway I can't ssh into rootkit. you sure the ips still 184.108.40.206?
Subject: Re: need to ssh into rootkit
does it work now?
Subject: Re: need to ssh into rootkit
yes jussi thanks
To summarize the hack/attack, “A Web application with SQL injection flaws and insecure passwords. Passwords that were badly chosen. Passwords that were reused. Servers that allowed password-based authentication. Systems that weren't patched. And an astonishing willingness to hand out credentials over e-mail, even when the person asking for them should have realized something was up.”
A wearable jamming technology could protect patients with implants from potentially life-threatening attacks
August 18th 2011, Technology Review
Many medical implants, such as insulin pumps and pacemakers, are equipped with wireless radios that let doctors download data about the patient's condition and adjust the behavior of the implant. But these devices are vulnerable to hackers who can eavesdrop on stored data or even reprogram the implant, causing, for example, a pacemaker to shock a heart unnecessarily.
October 26, 2012
South Carolina Department of Revenue
Columbia, South Carolina GOV HACK
6.4 million records breached
South Carolina Department of Revenue's website was hacked by a foreign hacker. The hack most likely began on August 27, was discovered on October 10, and was neutralized on October 20. Around 3.6 million Social Security numbers and 387,999 credit card and debit card numbers were exposed. A total of 16,000 payment card numbers were not encrypted.
UPDATE (10/31/2012): Tax records dating back to 1998 were exposed. A lawsuit alleging that South Carolina failed to protect citizens of South Carolina and failed to disclose the breach quickly enough was announced on October 31.
UPDATE (11/05/2012): Trustwave was named as the data security contractor who handled the South Carolina website and added to the group being sued over the breach. Trustwave is an international company based in Chicago.
UPDATE (11/15/2012): Over 4.5 million consumers and businesses may have had their tax records stolen by hackers. It appears that Trustwave focused on helping the Southern Carolina Department of Revenue comply with regulations regarding how credit card information is handled. Neither Trustwave nor the Southern Carolina Department of Revenue detected the breach.
UPDATE (11/29/2012): The total number of people or businesses affected was updated to 6.4 million. Approximately 3.8 million taxpayers and 1.9 million of their dependents had their information exposed. Additionally, 3.3 million tax payers had bank account information obtained. It is unclear how much overlap there is between the 3.8 million taxpayers and the 3.3 million tax payers who had bank account information obtained.
July 8, 2011
A man hacked into the websites of multiple businesses; one of them was the Capital Grill website. He was able to obtain email addresses and passwords of registered customers. A total of 250 people from across the businesses had their information stolen. He then tried to use the login information on financial websites. He was able to access the financial accounts of people who used the same email and password combination. A federal judge sentenced him to 10 years in prison.
October 10, 2012
Northwest Florida State College
279,000 records at least 200,050 SS#'s
An internal review revealed a hack of Northwest College servers. One or more hackers accessed at least one folder in the server between May 21, 2012 and September 24, 2012. Over 3,000 employees, 76,000 Northwest College student records, and 200,000 students eligible for Bright Future scholarships in 2005-06 and 2006-07 were affected. Bright Future scholarship data included names, Social Security numbers, dates of birth, ethnicity, and genders. Current and former employees that have used direct deposit anytime since 2002 may have had some information exposed. At least 50 employees had enough information in the folder to be at risk for identity theft.
July 23, 2012
3 million American accounts (No SSNs or financial information reported)
Hackers were able to access Gamigo's server in February of 2012. Notification of the breach was sent on March 1. Gamigo warned users and advised that they change any passwords for emails associated with Gamigo. The hacked information was released on July 6. A total of 8,243,809 user email addresses and encrypted passwords were posted online.
June 19, 2011
London, London City of
1.29 million (No SSNs or financial information reported)
The location listed is the European headquarters of Sega.
The SEGA Pass website was hit by hackers sometime around June 16. Sega Europe in London operates the website, but customers worldwide may have been affected. No credit card information was exposed, but names, dates of birth, email addresses and encrypted passwords were stolen by the hackers. Sega recommends that customers change login information for other sites if they used the same login information for SEGA Pass. Sega reported that 1,290,755 customers were affected.
June 9, 2011
New York, New York
Customers may call 888-640-4982 for more information.
Hackers have managed to access the information of approximately 1% of Citibank's 21 million users. U.S. Customer names, account numbers, and contact information were exposed. Security codes and dates of birth were not exposed. The breach occurred sometime in May.
UPDATE (6/13/2011): Citibank released an official statement on the Citigroup website.
UPDATE (6/14/2011): It has been revealed that hackers obtained customer names, account numbers and transaction information by logging into the customer credit card site and guessing the account numbers of other customers. Since the account number appeared in the web address browser bar, simply altering an account number allowed the hackers to access a different account. The hackers also utilized an automatic computer program to guess account numbers quickly. This incident appears to have occurred in early May.
UPDATE (6/14/2011): Connecticut Attorney General George Jepsen asked Citigroup Inc. to provide more information about the data breach. Jepsen feels that more information about the types of account information exposed, the cause of the breach, the steps taken to notify affected individuals and the steps to prevent future breaches is needed. He requested the additional information by June 22.
UPDATE (6/16/2011): The number of affected individuals has been raised from 210,000 to 360,000. Further investigation of and information about the breach revealed that the breach was discovered on May 10. By May 24, Citigroup officials concluded that the data thieves had captured names, account numbers, and email addresses of about 360,000 customer accounts. Social Security numbers, expiration dates, and three-digit security passwords found on the back of credit cards were not exposed.
UPDATE (6/24/2011): At least 3,400 of the customers whose credit card information was stolen have suffered a combined loss of $2,700,000.
June 6, 2012
Mountain View, California
A file containing 6,458,020 encrypted passwords was posted online by a group of hackers. It is unclear what other types of information were taken from Linkedin users. LinkedIn recommends that users change their passwords.
National Defense Authorization Act
Signed into Law
“Department of Defense may carry out offensive cyber attacks to defend U.S. interests and those of its allies. It also requires the military to take certain defensive cyber measures, including the creation of a new insider threat program.”
Attacks can be carried out after the Presidents direction and are subject to the law of warfare and the War Powers Resolution.
Block unauthorized software
Accept authorized software
Constantly monitor system settings
Remediate derivations from baseline settings.
Increase the "number and skill" of cybersecurity pros
Detect unauthorized access, use, or transmission of sensitive information.
centralize the monitoring and detection of unauthorized activities
Monitor the use of external ports;
Disable removable media ports;
Report unusual user activity;
Implement role-based access;
Use data-loss prevention and data-rights management technology to prevent leaks.
Of Others - schadenfreude
U.S. Senate website twice
FBI contractor once
logins and passwords from a porn site
Arizona law enforcement.
"Much of the computer security industry came to love the group. Lulzsec hadn’t used particularly sophisticated hacks in many cases, but that was the point. After years of security staff complaining to their managers that security was abysmal and privacy dead — only to be told there wasn’t money for security, the hacker group had done what they could never do: made people pay attention."
Aaron Barr, CEO, claimed to have uncovered the leadership of Anonymous. He said the group had around 30 members, and 10 “core” members who made the decisions, and that he’d linked their IRC handles to their real names using social network analysis. He was building a security conference talk around his research.
“I am doing a pretty good job identifying key people and illuminating how they work. All of this I am doing using social media analysis. There are probably a few government organizations that might be interested in this data before I go public with it…. I think it will make quite a splash,” said Barr in an e-mail to a colleague.
Outline of Topics
AICPA Top 10 Technology Initiatives.
What is the Government (Ours) doing?
Hacking vs. Hactivism (Anonymous)
HB Gary Hack
Recent Hacking Cases
The practice of promoting a political agenda by hacking, especially by defacing or disabling websites
Unauthorized attempts to bypass the security mechanisms of an information system or network
Advanced Cyber-weapon, a toolkit of malware:
At least 20 modules available
One plugin turns on the internal microphone of infected machines so Skype conversations can be secretly monitored in real time.
A separate module scans nearby Bluetooth-enabled devices for names and phone numbers stored in contact lists.
A third monitors machine activity by taking screenshots every 15 to 60 seconds, depending on whether Outlook or another targeted application is in use, and uses SSL-protected connections to send the images to the attackers.
Flame can also sniff traffic passing over local networks to siphon user names, passwords, password hashes, and other sensitive data that attackers can use to further monitor their targets.
Reported May 29, 2012 (Kapersky Labs)
Exploited Windows Update
Without getting technical counterfeit Microsoft digital certificates were created so software updates looked like they came from Microsoft
Self-destruct command reported on June 8, 2012
USCYBERCOM is responsible for planning, coordinating, integrating, synchronizing, and directing activities to operate and defend the Department of Defense information networks and when directed, conducts full-spectrum military cyberspace operations (in accordance with all applicable laws and regulations) in order to ensure U.S. and allied freedom of action in cyberspace, while denying the same to our adversaries.
Elevated to Indpendent Status August, 2017
This just in....
Months after a foreign hacker broke into the South Carolina Department of Revenue’s computer system exposing millions of taxpayers’ personal records and causing the state to spend $20 million for added protection, state cabinet agencies are still working on security improvements, an examination by GreenvilleOnline.com show.
Just one of South Carolina Gov. Nikki Haley’s 15 cabinet agencies questioned by the website — the Department of Probation, Pardons and Parole — responded without qualifications that it had the full basic protections experts say could have significantly reduced the chances of a data breach at the Revenue Department.
Reported by: teamshatter.com January 7, 2012
Iran Fights back/Itsoknoproblembro?
According to the NY Times, January 9, 2013
Since September, intruders have caused major disruptions to the online banking sites of Bank of America, Citigroup, Wells Fargo, U.S. Bancorp, PNC, Capital One, Fifth Third Bank, BB&T and HSBC. (DDOS attacks)
hackers chose to pursue disruption, not money: another earmark of state-sponsored attacks, the experts said.
Attacks are coming from data centers, from the cloud, and are often time encrypted
What are Governments Proposing?
Neelie Kross, EU's commissioner for Digital Agenda is propsoing:
Report the loss or theft of personal information related to a data breach by:
companies that run large databases, those used for Internet searches, social networks, e-commerce or cloud services.
Similar Bill was proposed in the U.S. Senate
Would have required water and electric utilities and transport network operators to improve the security of their computer systems.
Would have required notification of breaches to Cybercommand or D.H.S.
A secret legal review on the use of America’s growing arsenal of cyberweapons has concluded that President Obama has the broad power to order a pre-emptive strike if the United States detects credible evidence of a major digital attack looming from abroad, according to officials involved in the review.
CyberSecurity Executive order: http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity
During Feb 12, 2013 State of the Union speech,
President Obama stated:
"We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy."
Creates new, real-time information sharing programs that would provide American companies with classified and unclassified cyberthreat information
Directs the National Institute of Standards and Technology to collaborate with industry to develop a framework of cybersecurity best practices to reduce risk to critical infrastructure.
Requires strong privacy and civil liberties protections based on the Fair Information Practice Principles
Establishes a voluntary program to promote the adoption of the cybersecurity framework.
Calls for a review of existing cybersecurity regulation.
PWC Digital IQ asks:
"What actions can leaders take to confirm their digital investments deliver and sustain value?
Which of these technologies will be of strategic importance over the next 3-5 years?
2014 - 2012 Results
Discovered January 14, 2013 (Reported)
Targeted hundreds of diplomatic, governmental, and scientific organizations in at least 39 countries
Has over 1000 unique software modules customized for different attack vectors
individual PCs, networking equipment from Cisco Systems, and smartphones from Apple, Microsoft, and Nokia.
Shut Down January 18, 2013.
Dmitri Alperovitch, 32
MIT Review Top 35 innovators under 35 (2013)
Cofounder of the security company CrowdStrike wants to help cyberattack victims strike back.
"The online criminal problem was and is a big issue, but it pales in comparison to what nation-state attacks are doing to this country and our allies. Google has one of the best security teams on the planet, better than most government organizations, but they and many other companies with very good security practices were still getting hit. The problem was not the security widgets and technology they were using; it was the strategy."
"What you really want is for a cyberattack to be very costly and risky, so it is used only rarely and only against really high-value targets.
Today security companies look for malware and software exploits, but they change constantly. And new ones are launched by the hundreds of thousands each day. At CrowdStrike we look for traces of the adversary and try to find out who the adversary is, what they are after, and what their tradecraft is. We also disseminate that information to enable collective action. It doesn’t have to just be every company for themselves—they can band together and maybe join with government to put pressure on the enemy."
A quick Diversion seems Necessary
NSA and others can listen in to GSM phone conversations
NSA and GCHQ use Google tracking cookies to identify targets
Italian leadership, embassy and public targeted by the NSA
Sweden’s FRA spies on Russian leadership for the NSA
NSA retains information on UK citizens
NSA and GCHQ break into Yahoo and Google data centres
OK You get the Picture
NSA trying to build quantum computer
NSA Tailored Access Operations’ software and hardware attacks explained
Just what have they been up to?
NGOs and allies found on GCHQ target lists
NSA ranks Norway’s NIS (E-tjensten) as one of its two main foreign partners in the field of “Technical SIGINT.”
Canada has set up and operated covert spying posts in 20 countries at the behest of the NSA
Online games infiltrated by NSA and GCHQ
Sweden’s close relationship with the NSA, GCHQ
NSA collecting phone location data on an unprecedented scale
Australia offered to share citizens’ data with the NSA
Microsoft data centres may also have been NSA targets
50,000 networks infected with NSA malware
NSA monitors calls of world leaders
NSA collects email address books and buddy lists
Since November 2010, SIGINT Management Directive 424 allowed the NSA to analyse phone and email metadata of US persons through contact chaining. This metadata can be supplemented with public or commercial data from sources such as Facebook profiles, voter registration and property records.
Now Back to the Original Lecture
US-CERT is aware of a breach of sensitive patient identification information affecting approximately 4.5 million patients and customers of Community Health Systems, Inc.
SECURITIES AND EXCHANGE COMMISSION
Washington, D.C. 20549
Pursuant to Section 13 or 15(d) of
the Securities Exchange Act of 1934
August 18, 2014
Date of Report (date of earliest event reported)
COMMUNITY HEALTH SYSTEMS, INC.
(Exact name of Registrant as specified in charter)
In July 2014, Community Health Systems, Inc. (the “Company”) confirmed that its computer network was the target of an external, criminal cyber attack that the Company believes occurred in April and June, 2014. The Company and its forensic expert, Mandiant (a FireEye Company), believe the attacker was an “Advanced Persistent Threat” group originating from China who used highly sophisticated malware and technology to attack the Company’s systems.
The attacker was able to bypass the Company’s security measures and successfully copy and transfer certain data outside the Company.
Since first learning of this attack, the Company has worked closely with federal law enforcement authorities in connection with their investigation and possible prosecution of those determined to be responsible for this attack. The Company also engaged Mandiant, who has conducted a thorough investigation of this incident and is advising the Company regarding remediation efforts. Immediately prior to the filing of this Report, the Company completed eradication of the malware from its systems and finalized the implementation of other remediation efforts that are designed to protect against future intrusions of this type.
The Company has been informed by federal authorities and Mandiant that this intruder has typically sought valuable intellectual property, such as medical device and equipment development data. However, in this instance the data transferred was non-medical patient identification data related to the Company’s physician practice operations and affected approximately 4.5 million individuals who, in the last five years, were referred for or received services from physicians affiliated with the Company. The Company has confirmed that this data did not include patient credit card, medical or clinical information; the data is, however, considered protected under the Health Insurance Portability and Accountability Act (“HIPAA”) because it includes patient names, addresses, birthdates, telephone numbers and social security numbers.
The Company is providing appropriate notification to affected patients and regulatory agencies as required by federal and state law. The Company will also be offering identity theft protection services to individuals affected by this attack.
The Company carries cyber/privacy liability insurance to protect it against certain losses related to matters of this nature. While this matter may result in remediation expenses, regulatory inquiries, litigation and other liabilities, at this time, the Company does not believe this incident will have a material adverse effect on its business or financial results.
How did it happen?
Obtained log-in credentials via HeartBleed vulnerability in Juniper Network equipment (Used for remote access VPN)
So why didn't CHS update OpenSSL?
Now able to log-in as legitimate employee
"Hacked" into database to obtain PI info
How? Not stated:
Discovered around 201-2012
Reportedly a tool of NSA and GCHQ
Consists of Modules:
remote access trojan that gives the attackers backdoor access to infected systems, a keystroke logger and clip board sniffer, a password sniffer, modules to collect information about USB devices connected to the infected system, and an email extraction module
Entire networks, not just individuals
Telecoms in multiple countries
Research institutes and academics
61% of U.S. respondents believe they have properly protected traditional networks and internal servers from external security threats.
52% are confident they have IT security policies appropriate for their industry and company size
58% believe they can ensure the availability and continuity of IT services.
40-43% addressed all relevant threats, including those from emerging technologies such as cloud, mobility, and social media.
properly protected smartphones, tablets, and other devices from a data breach
they can quickly detect and respond in the event of a cyberattacks.
2012 Confidence Scores
14. Do not argue with trolls - it means that they win
U.S. Attack on ISIS
Publicly Announced (1st time)
Defense Secretary Ashton B. Carter
Deputy secretary of defense, Robert O. Work, “We are dropping cyberbombs,”
To disrupt the ability of the Islamic State to spread its message
Attract new adherents
Circulate orders from commanders and carry out day-to-day functions
Like paying its fighters.
Here's what we know:
"half-dozen senior and midlevel officials indicate that the effort has begun with a series of “implants” in the militants’ networks to learn the online habits of commanders. Now, the plan is to imitate them or to alter their messages, with the aim of redirecting militants to areas more vulnerable to attack by American drones or local ground forces.
GAO Report 16-350
VEHICLE CYBERSECURITY: DOT and Industry Have Efforts Under Way, but DOT Needs to Define Its Role in Responding to a Real-world Attack
Intrusion into UCF Network Involves Personal Data
"For background, upon discovering the intrusion in January, university officials reported the incident to law enforcement and launched an internal investigation with the assistance of a national forensics firm. The incident involved the potential access to Social Security numbers, but not credit card information, financial records, medical or health records, or grades."
Joel Hartman, who oversees the university's information technology department, said it's unclear who is responsible for the hack, although it likely was done by multiple individuals over time.
"All the information we have indicates there has been no attempt to use this information for identity theft or fraud or other financial means," Hartman said, adding no credit card information or grades were stolen. Other information, including student and employee ID numbers, also was compromised.
Used to be violated this way.........
During this Election cycle what "breaches" of sovereignty have occurred?
#2 Create cyberspace advantages to enhance operations in all domains.
#3 Create information advantages to support operational outcomes and achieve
#4 Operationalize the battlespace for agile and responsive maneuver.
#5 Expand, deepen, and operationalize partnerships.
Achieve and sustain overmatch of adversary capabilities.
Anticipate and identify technological changes, and exploit and operationalize emerging technologies and disruptive innovations faster & more effectively than our adversaries. Rapidly transfer technologies with military utility to scalable operational capabilities. Enable our most valuable assets—our people—in order to gain advantages in cyberspace. Ensure the readiness of our forces.