2012: how to avert the disaster in the movie

Copyright © 2011 Trend Micro Incorporated. All rights reserved.

2012資安趨勢 Bob Hung

TW/HK GM, Trend Micro


Agenda

2102資安預測

趨勢 #1: 進階式持續性威脅(APT)成為主流

趨勢 #2: 虛擬及雲端資安重要性漸增

趨勢 #3: 在後PC時代，行動裝置管理成為必要課題

Preparing for the Perfect Storm

Trend Micro Confidential 4/2/2012 3


2012 資安預測


1. 大部分企業及機構對消費者化(consumerization)雖然未能十分接受，但迫於層出不窮的資安及資料外洩事件，企業必須正視及面對員工自帶行動裝置(BYOD)相關的挑戰。

2. 資料中心(DataCenter)管理者須面對日益複雜的資安議題，包含如何保護實體、虛擬及雲端的系統安全。


3. 智慧型手機及平板的平台, 特別是 Android, 會遭受更多的網路犯罪者攻擊。

4. 資安漏洞會出現在合法的行動app上，使得駭客更容易竊取資料。


5. Botnet會有小型化的趨勢，但數量仍會增加，但會使偵測更為不易。

6. 駭客會對非傳統目標進行攻擊，像對重工業設備(如SCADA-controlled) 甚至到醫療設備，這類新的目標攻擊將會增加。

7. 因應各國的法律強制規範，網路犯罪者將有更創新的手法來進行網路攻擊。


8. 將有更多得駭客組織對企業/機關的機敏資料的保護造成更大的威脅。

9. 新的社群網路世代將重新定義何謂”隱私“ 。

10. 社交工程攻擊成為主流，中小企業也將受害。

11. 新時代駭客會使用更複雜完備的駭客工具，手法也會更純熟。

12. 更高調資料外洩事件將會發生，同樣是利用惡意程式及入侵的手法。


趨勢 #1: 進階式持續性威脅(APT)成為主流

Classification 9


2011 – 資料外洩之年

10 1

0

Sony PlayStation Network Data

Breach: Compromises 77 Million

User Accounts — April 26 2011

RSA suffers Data Security Breach

— May 22 2011

Massive Breach at Epsilon

Compromises Customer Lists — April 02 2011

— June 11 2011

Sophisticated Cyberattack is Reported

by the I.M.F.

— June 08 2011

Citigroup Inc breach may have

compromised hundreds of thousands

of bank card customers' data

Google Hack Attack Was Ultra

Sophisticated, New Details Show

— Jan 14 2010

http://www.eweek.com/

http://www.securityweek.com/

http://www.nytimes.com/


APT – Who, Why and How…

Source: Command Five, Advanced Persistent Threats: A decade in Review

Advanced - the hacker has the ability to evade detection and the capability to gain and maintain access to well protected networks and sensitive information contained within them. The hacker is generally adaptive and well resourced.

Persistent - the persistent nature of the threat makes it difficult to prevent access to your computer network and, once the threat actor has successfully gained access to your network, very difficult to remove.

Threat - the hacker has very specific intent and also the capability to gain access to sensitive information stored electronically.

Firstly, it tells us that humans are often the weakest link in the security chain and that users need to be better educated on the threat from social engineering. Socially engineered email campaigns are the most common social engineering technique used but not the only one. Secondly, it tells us organizations need to be review their existing security controls. Looking at the recent APT breaches, existing solutions & process are inadequate.


傳統資安無法阻擋APT

• Firewall 無法發揮作用

– 利用正常的ports及

protocols

• 防毒對APT無效

– 63% 的APT惡意程式是客製化的 • 員工成為資安最弱的環節

– 魚叉式目標攻擊

– 社交工程電子郵件

• 漏洞及零時差攻擊

– 如何讓所有的PC及Server都上好最新的修補程式?

• 組織對自己已被攻擊完全無感

– 低調而緩慢，與病毒行為完全不同

13 Copyright 2011 Trend Micro Inc.

典型APT攻擊的流程

1. 情資蒐集確認並研究攻擊目標的個人情資，利用公開資訊((LinkedIn, Facebook, 等) 以準備客製化攻擊。

2. 單點入侵典型的起始攻擊是利用社交工程email或IM夾帶零時差漏洞的惡意程式。一旦後門被植入駭客即可隨意進入網路 (也有少數利用網站弱點直接駭入，但非主流方式)

3. 中繼站 Command & Control (C&C) Communication

作為駭客的跳板，駭客可利用操控數量龐大的僵屍電腦作為後續資料傳遞或下載其他惡意程式的中繼站。

4. 內部擴散一旦進入企業內部網路，駭客會繼續攻擊其他電腦以獲取

更多權限以得到控制權方便下一階段的入侵，或取得權限以竊取極機密資料。

5. 辨識重要資料利用數種技術(如 Port scanning) 找出重要Server或服務，以發掘出駭客有興趣的有價值資料。

6. 資料外送一旦資料蒐集完畢，會找一台機器來做為資料傳輸之用，資料通常會以批次，壓縮甚至加密的方式向外傳送。


1

Point of Entry

2

Command & Control (C&C)

3

Lateral Movement

4 Asset/Data Discovery

5 Data

Exfiltration

APT Attack Stages/Tactics

Antivirus & FW ineffective

Human weakest link

Lack of Compromise Visibility

Edge Vulnerabilities

Back-door Established

Lack of C&C visibility

Encrypted Communications over

HTTP/HTTPS

Unpatched Hosts

Zero-day Exploit

Privilege Escalation

Visibility of Log-in Failures

Overwhelmed with system events

Lack Server Setting &

Config. Change Visibility

Lack Network

Analysis Visibility

Data Exfiltration

APT Problems by Stages

Check for signs of infiltration

Analyze Exploits in

Sandbox Environment

- Vulnerability Assessment

Identify C&C IP/Domain

Monitor network traffic for C&C

communications

Update Gateway Security Policy

Vulnerability Shielding

System Integrity Monitoring

Restrict & Monitor User Access & Privilege Uses

Log Management & Analysis

Vulnerability Assessment

Integrity Monitor

Data Leak Prevention

Encryption

Incident Response

APT Needs by Stages

Copyright 2011 Trend Micro Inc.

防禦策略

15

外部防線

內部防線

Valuable Server

Valuable Server

Endpoint

Endpoint

Valuable Server


對重要資產建立內部防線

16

VM VM VM VM VM Security VM

Hypervisor

Virtual Patching

Firewall

Anti-Virus

Log Inspection

Integrity Monitoring

• Shields zero-day and known Vulnerabilities with

Virtual Patching

• Monitors System and File Configuration

changes


增加偵測及分析能力先期攔阻；完整分析以便進階攔阻與清除

Identify Attack Behaviour & Reduce False Positives

Detect Malicious Content and Communication

Analyze

Simulate

Correlate

Visibility – Real-time Dashboards Insight – Risk-based Analysis

Action – Remediation Intelligence

Out of band network data

feed of all network traffic


趨勢 #2: 虛擬及雲端資安重要性漸增

Classification 18


混合型網路的跨平台資安

• 網路威脅不會因新平台並不會而有極大差異

• 跨平台整合式的資安方案方可有效管理

• 不同階段有其特有的資安風險

Virtual Cloud

Physical

Single Management Console

19


Virtualization Adoption Production Environment Private/Public Cloud

Data destruction

Diminished perimeter

Resource Contention

Multi-tenancy

Data access & governance

Complexity of Management

Mixed trust level VMs

Compliance/ Lack of audit trail

1

2

3

4

5

6

7

8

9

10

11

在虛擬化各階段的資安挑戰

Inter-VM attacks

Instant-on gaps

Host controls under-deployed


整合式資安應達到的效益

Higher

Density

Simpler

Management

IDS / IPS

Web Application Protection

Application Control

Firewall

Deep Packet Inspection

Log

Inspection

Anti-Virus

Integrity

Monitoring

Better

Security


Cost Reduction & Consolidation 1 Cloud Security

挑戰: 資料管理及安全性

Cloud data can provide less visibility and control

10010011

01101100

22


10011

01110

00101


挑戰: 資料的銷毀

When data is moved, unsecured data remnants can remain

10011

01110

00101

10011

0

00101

23


Who is responsible for security?

• With IaaS the customer is responsible for VM-level security

• With SaaS or PaaS the service provider is responsible for security

Public Cloud

PaaS

Public Cloud

IaaS

Servers Virtualization &

Private Cloud

End-User (Enterprise) Service Provider

Public Cloud

SaaS


雲時代: 誰負責控制?

24


Patient Medical Records Credit Card Payment

Information Sensitive Research Results Social Security Numbers

• Unreadable for

unauthorized users

• Control of when and

where data is accessed

• Server validation

• Custody of keys

Encryption with Policy-based

Key Management

Cloud Security

Modular Protection

• Self-defending VM security

• Agentless and agent-based

• One management portal for

all modules, all deployments

vSphere & vCloud


VM 安全+ 雲端資料加密

Integration ensures servers have up-to-date

security before encryption keys are released

http://aws.amazon.com/

http://www.eucalyptus.com/

http://www.rightscale.com/index.php


趨勢 #3: 在後PC時代，行動裝置管理成為必要課題

Classification 26


IT 的消費者化 (Consumerization)

• 新興的消費者端新技術已擴散到企業組機內部

• IT及消費電子合併成同一個工作及遊戲的設備

• 主導權逐漸從企業IT及企業IT供應商(IBM, HP)轉移到終端使用者及創新的消費市場供應商(Apple, Google)

“Consumerization will be

the most significant trend

affecting IT during

the next 10 years”

- Gartner


29

當前資訊人員的挑戰

iPad


30

更多的問題即將發生

• 目前面對的問題僅僅是下一波大浪潮的開端

• 企業及組織須以較長遠的眼光面對此一新趨勢帶來的改變

iPad iPhone

Windows phone


行動裝置的惡意程式大幅成長

• 15%: iPhone被解的比例

• 400%: Android 在2011年中毒的成長率 • 挑戰:

–保護行動裝置

–偵測及攔阻惡意 apps

–保護企業IT資源被行動裝置感染


消費者化驅動IT資源的移轉

Classification 4/2/2012

32

• 過去幾年的消費者化已使企業及組織重新思考消費者等級的工具及服務的價值


IT 的控制難度與日俱增



IT 的控制難度與日俱增

我如何…?

降低管理這些裝置的成本及資源

“大老闆都在使用iPad, 我該怎麼管?”

保護公司資料，尤其是這些裝置如果掉了或遭竊

“公司資料都在個人裝置上，誰知道會發生什麼事?"

“我如何在個人裝置上區分公司資料及個人資料?"

確保使用公司網路，資料及應用程式的裝置是安全的

“[Android 和 iPads], 就像沒保護的PC”

Copyright 2010 Trend Micro Inc. Classification 4/2/2012

35

"We cannot be binary and say ‘You can’ or ‘You cannot,’ we must enable people

to do their business.” - Trend Micro customer

Closed

Limited accessibility

Standard and uniform

Control!

擁抱消費者化: 需取得平衡

Open

Accessible and transparent

Heterogeneous

Freedom!

Consumerization


IT 消費者化的防護策略

取得能見度及控制權

Device Discovery

• Device Enrollment

• Device Provisioning

• Asset Tracking

• S/W Management

• Remote Control

確保裝置安全

• Anti-Malware

• Firewall

• Web Threat Protection

• Email Security

• Call/ SMS Anti-Spam

• App Control/Lock-down

保護資料

• Encryption

• Remote Wipe

• Remote Lock

• SIM Change/ Watch

• Feature Lock

• Password Policy

Central & Policy Management


Physical Virtual Cloud Virtualized

Desktop/Laptop/

Mobile

下個世代的資安解決方案 ..

Data

Protection

in the

Cloud

Data Leak Virtualizati

on Security

Advanced

Persistent

Threats

Post-PC

Era

Endpoints

37 Classification 4/2/2012

Except as expressly stated otherwise, you are not authorized to copy and distribute the content of this document. TRENDMICRO and Trend Micro Deep Security are registered trademarks of Trend Micro. All other trademarks are the property of their respective owners.


2012: how to avert the disaster in the movie

Documents