Question

Assume a scenario where the hackers gained access to information through malware on Point-of-Sale (POS) systems of more than million credit and debit card. The firewall had captured the first malware code and an alert was issued which was ignored. The hackers started downloading the collected data. The cyber criminals have hacked the system to gain credit and debit card information.

1. Explain in your own words what happened in the above discussed data breach. [5 Marks]

2. Identify and experience the type of attack experienced in the above scenario [2 Marks]

3. The stolen credentials alone are not enough to access the company’s POS devices. What other means can the hackers acquire to allow them to navigate the company’s network and deploy the malware. [3 Marks]

4. What would have hackers done for privilege escalation? [2 Marks]

5. The organization admitted that they ignored many alerts from their network security devices because of alert overload. If you are the organization’s Chief Technical Officer (CTO), what would you do to reduce the problem of alert overload? [3 Marks]

6. The security experts criticize the organization for failing to isolate sensitive sections of their networks from those more easily accessible to outsiders. As a CTO, please propose a feasible solution to segment and categorize your networks and resources. [5 Marks]

Answer 1

1. Explain in your own words what happened in the above discussed data breach.

Answer :

In my view Hackers had managed to plant malware on point of sale systems. And that this malware allowed hackers to collect credit and debit card details of customer’s who have done transaction using POS as per their requirement on various store or gas station or some other places. The attackers may have connected to one of the company’s servers through a VPN and managed to remotely installed some kind of a password-cracking tool like - L0phtcrack. While running that program, the server might got crashed and raised security alert to the security team. Who than started investigation of that data security breach. With a limited timeframe to grab venerable data, the attackers managed to steal two more accounts and while security team was trying to identify and stop that security breach, Hackers may have used the stolen accounts to access the system and steal information afterwards. Using the hacked accounts information, the hackers gained access to POS technical specifications,their Storage System’s Technical Specifications, TLOG Encryption details and information about financial flows as well, which contained the detailed communication flow chart required for the transaction process, Due to that the moment the customers swiped their credit/debit cards into the any store’s card reader to the point the data transverse the network to be authenticated by the card issuer.

2. Identify and experience the type of attack experienced in the above scenario.

Answer

It’s a case of - POS malware which hacker’s designed and uses on point-of-sale (POS) terminals and systems with the intent of stealing payment card data. It is commonly used by cybercriminals who want to resell stolen customer data from retail stores. Payment card data is encrypted end-to-end and is only decrypted in the random-access memory (RAM) of the device while the payment is processing. A POS malware attack enters through compromised or weakly secured systems and scrapes the RAM to find payment card data, which is then sent unencrypted to the hacker.

3. The stolen credentials alone are not enough to access the company’s POS devices. What other means can the hackers acquire to allow them to navigate the company’s network and deploy the malware.

Answer :

As far as using other methods to deploy malware in any company’s network - In the past malware were dependent on Floppy Discs being inserted into computers. Other methods include with the help of USB drives or a CDs. But today, hackers extensively utilizing electronic messaging such as email, use of social media post, and others related means. Once someone downloads a file or clicks on a particular link, the malware takes control root in the device or network to gain access to its credentials very easily. Also, web based malware, the most common means of infection may be used to comprises code that is auto-executed – “also known as drive-by downloads” and code that requires additional user interaction beyond the page visit like fake audio visuals scaring users to "click here to scan your PC and clean your infected system for free etc.

4. What would have hackers done for privilege escalation?

Answer :

Privilege escalation is a common threat , which allows hackers to enter any organizations’ IT infrastructure and search for permissions to steal sensitive data, also to disrupt operations and create backdoors for hackers for easy future attacks. Raised privileges open doors for attackers to muddle with security settings, configurations & data as well; they often able to gain access to lower privilege accounts first and then use them to obtain high-level privileges and gain full access to organization’s IT environment as well.

There are two types of privilege escalation:

• Horizontal privilege escalation — This attack involves a hacker taking over someone else’s account. For example, one internet banking user might gain access to the account of another user by stealing user’s ID & password.

• Vertical privilege escalation — In this type of attack, a hacker gains access to a lower-level account and uses it to gain higher level of l privileges. For example, a hacker might gain a user’s any bank account user and then tries to get access to site administrative functions as well. Vertical privilege escalation requires more erudite attack techniques as compared to horizontal privilege method of escalation, such as hacking tools are much required that help the attacker gain elevated access to systems as well as data.

Typically privilege escalation attack consists of five steps:

• Find a vulnerability(System Weakness)
• Create the related privilege escalation for exploit
• Use that exploit on a system
• Check whether able to successfully exploits the system or not
• Gain additional privileges through escalation

Below mentioned is the two techniques that attackers use to achieve these types of privilege escalation.

Method 1: Access Token Manipulation.

This privilege escalation technique exploits the way Windows manages admin privileges.

Method 2: Using Valid Accounts.

Adversaries can use Credential Access techniques e.g. Credential Dumping, Account Manipulation and other, to obtain the credentials of specific user accounts, or steal them through social engineering if possible.

5. The organization admitted that they ignored many alerts from their network security devices because of alert overload. If you are the organization’s Chief Technical Officer (CTO), what would you do to reduce the problem of alert overload?

Answer :

Though ALERT-OVERLOAD CHALLENGE HAS BEEN AN EVER-INCREASING PROBLEM FOR SECURITY PROFESSIONALS so far, cyber security experts have managed to provide very few solutions for this issue:

• Reduce the volume of alerts by reducing the alert criteria or turning it off specific features in a given security application.
• Manually pick among alerts for investigation.
• Hire extra Incident response experts to investigate the increasing volume of alerts
• Lastly - Ignore the all alerts – the worst possible outcome of alert overload problem.

6. The security experts criticize the organization for failing to isolate sensitive sections of their networks from those more easily accessible to outsiders. As a CTO, please propose a feasible solution to segment and categorize your networks and resources.

ANSWER :

Categorising networks & resources is an increasingly common practice in computer networking and is the process of dividing a computer network into a series of sub-networks. It is sometimes termed as “zoning”. Categorising networks & resources helps us to avoid setting yourself up for extreme vulnerability when you rely on a huge target.

Once any unauthorized access occurs, network segmentation offers a greater chance of providing effective controls to minimize the potential threat in the next step of a network intrusion.

· Proposed Network Segmentation Design

1. Inventory systems. Classify and identify sensitive data of you company. This is one of the key concepts of security that matters the most. What do I have as data? And who has access to that data?
   
2. Identify and group parallel systems if required and perform data classifications as well.
   
3. Identify who uses the data. This type of refinement will help you take rule based access to a whole new level because you’ll be required into granting access to all these systems to only those who need it.
   
4. Design segmented network. i.e.What are you going to put together? Why? And who needs access?
5. Invest on Capital expenses. It is all about purchasing firewalls, software, or just configuration time for VLANs.

a. Network Segmentation Implementation

1. Start with the various segments. Like for example Guest, Test, and Development.

2. Limit both inbound and outbound data traffic. Start implementing granular control according to the principle of least access required to complete company tasks.

3. Default Deny rule. This is a basic principle in firewall configuration. Deny everything that hasn’t been explicitly allowed in your system.

b. Network Segmentation Monitoring

As we know that insider threats continued to be a major cause of security breaches and a malicious intruder impersonating a trusted insider is common as we seen several examples of that, so it’s worth paying attention to it .

1. Configure your IDS & IPS to track and monitor internal network segments, as well as your external network.

2. Review your logs every day. Most dependable, accurate, and practical tools in the security arsenal are concerned are the event and audit logs created by network devices.

3. Analyse your logs for suspicious or unusual behaviour.