bright talk intrusion prevention are we joking - henshaw july 2010 a
DESCRIPTION
TRANSCRIPT
Bright Talk Security Summit: July 8th 2010Mark Henshaw
Statistics Employees spend 50 minutes a day using social networking at work 40%+ of work emails are of a personal nature and non business related 3-5% of users will enter personal data into a phishing site if they reach it 46% of the respondents to a messaging survey said they had experienced
an increase in malware incidents More than 2700 websites hosting malware are going online every day Malware delivery vectors: email 15%, Web 85% 20%+ of outgoing emails contains content that poses a legal, financial or
regulatory risk Social-networking sites do not monitor content for the hosting of
malware 49% of companies allow unlimited access to social networking sites Web email or web postings account for 37% of information leaks Two-thirds of organisations are using at least one Web 2.0 application,
yet also see these applications as a serious privacy concern
INC
RE
AS
ING
RISKS GENERALLY CATALOGUED - IN A MANAGEMENT PROCESS
Threat in depth1. Your senior management2. Your user communities3. Your processes, or lack thereof4. Your software and applications5. Your infrastructure6. Your suppliers and outsourced processes7. Your competitors
Agenda
So what can we do to reduce the likelihood?
Can you prevent state sponsored intrusion?
Is defence in depth just a feel good distraction?
If they [cyber criminals] want your IP then is it just a matter of time?
Elastic cloud computing or elastic intrusion?
Sponsored intrusionSponsored intrusion is a deliberate targeted
attempt by a hostile party to gain unlawful access to another network and systems, and ultimately a) steal their intellectual property, b) complete some malicious electronic act causing destruction and/or collapse
The attack is funded and supported, possibly by the state
Coordinated and employs a good level of expertise and sophistication
Intrusion Prevention SystemA misnomer - even the best IPS are unable to
detect all cyber attacks, therefore IPS will not prevent all intrusions
The CEO/COO and Board see IPS as another ‘silver bullet’
We’ve got firewalls and now this IDS/IPS stuff, we must be bullet proof
Just one element in your overall defence in depth strategy – one instrument in a very large orchestra
Agenda
So what can we do to reduce the likelihood?
Can you prevent state sponsored intrusion?
Is defence in depth just a feel good distraction?
If they [cyber criminals] want your IP then is it just a matter of time?
Elastic cloud computing or elastic intrusion?
Business as a targetIntrusion attacks, highly sophisticated across
multiple surfacesThe ‘as a service model’ has been available to
cyber criminals and state sponsored organisations for some time
Exponential computing power is available, and now offered as a service through the cloud ~real-time password computation
Everything is hackablePeople are fallible, social engineers are feasting at
the all you can eat buffet of social networking sitesPresent an easy target, may as well advertise
High profile attacksWhat if your company is high-profile and symbolic of a
countries national identityMcDonald’s = USADefacements and hacking associated with multinational
companies or product lines, and high-profile organisationsMcDonald’s, Skype, Mazda, Burger King, Pepsi, Fujifilm,
Volkswagen, Sprite, Gillette, Fanta, Daihatsu, and KiaUnited Nations, Havard University, Microsoft, Royal Dutch
Shell, the National Basketball AssociationThe intrusion attack on your company may come from an
unexpected quarterNot in it for financial gainA foreign power attempting to overthrow the capitalist
dictator
But it’s all about the user1. Your senior management2. Your user communities3. Your processes, or lack thereof4. Your software and applications5. Your infrastructure6. Your suppliers and outsourced processes7. Your competitors
And it’s really not that difficult!
Spear PhishingGhostNet, Chinese espionage ring1,300 infected computers in 103 countries30% located in government offices, media
companies and non-government organisations (NGOs)
RAT named gh0st RAT, complete control of host computer
Variant of an old Spear Phishing schemeAttacker sends out carefully worded email
message
Worlds largest botnet - AfricaAfrican IT experts estimate an 80% infection
rate on all PCs continent-wideUnable to afford anti-virus softwareDial-up download times make updates
obsoleteBroadband service is now delivered mid 2010
providing a massive, target-rich environment100 Million computers available for botnet
herders to add infected hosts
Authentication and ease of access
Third age of hacking1st Age: Servers
ServersFTP, Telnet, Mail, Web.These were the things that consumed bytes from a bad
guyThe Hack left a foot print
2nd Age: BrowsersJavascript, ActiveX, Java, Image formats, DOMsThese are the things that are getting locked down
Slowly Incompletely
3rd Age: PasswordsGaining someone's password is the skeleton key to their
life and your businessTotally invisible – no trace
$100 For an email password
WeaponsKeylogger’s
Both hardware and software
Easy to useSearch for invisible
keylogger on YouTube
Phishing
iPhone p0wnedStealing the email credentials for an iPhone
Run a man in the middle attack over wirelessSpoof an Access Point with ID ‘BTOpenZone’ using HotspotteriPhone automatically joinsFake SSL cert using ettercapVery weak alertMajority of users accept, creds are sent, domain creds if Exchange syncFake certificate cached permanently, works on v3.0 B5Only defence is the ‘sleepy’ iPhone, or the very latest firmware
‘BTOpenZone’ iPhone joins network automatically
Tries to synchronise email, sends certificate
Capture certificate, fake a response, using valid info
Weak alert, user accepts
iPhone sends us its email/domain password
Credit Ken Munroe, PTP
Another way in to your network
• Business has been asking for advice relating to the suitability of iPhone’s for corporate email use
• Many people believe the iPhone offers equivalent or better security for email when compared with BlackBerry or Windows Mobile Does it?
Social (networks) engineeringExploiting usersStealing their private dataTrust and relationship mapping to other
legitimate users
Social networks, trust Increase in the pervasiveness of
vulnerabilities due to unfettered hyperconnected trust is challenging the traditional defence in depth security strategies.
Network-to-network (n2n) bridgeheads can develop creating attack points passing through traditional defence layers and into the heart of your corporate network.
Trust can present real risks to your business.
Social networkingSocial networking - becoming a big risk
Current issues People giving out information – Yes passwords and sensitive
data The hackers No.1 social engineering tool Very very soft target for passwords Twittergate was a social engineering hack APIs feeding…Apache Lucene, Hadoop and Nutch…creating
Hotnets for the social network analyst Virtual entities are pretending to be real people in a way that
enables criminals to gather personal information from the unsuspecting
Emerging issues – watch this space Robots can appear online as a genuine person Integrate other site functions (Your tweet’s in my Facebook) Password hacking SSO mode
Agenda
So what can we do to reduce the likelihood?
Can you prevent state sponsored intrusion?
Is defence in depth just a feel good distraction?
If they [cyber criminals] want your IP then is it just a matter of time?
Elastic cloud computing or elastic intrusion?
Defence in depth, a distractionA feel-good distraction?Obviously not, but from the Boards
perspective…yesJust as IPS suggests another ‘silver bullet’Defence in depth strategy, integrated,
holistic, organism, many moving parts each intimately connected
Log files, monitoring, alerting, responding, automation
Behavioural management, AI and adaptive
Defence in depth, a distractionWe know its all about the user…But the education and awareness training
budget got slashed again, needed it for a new Zoominfo website
We let them loose with web 2.0 technology, it’s good for the business, and the business wants to use the latest iPhone
Social networking sites are a boon, and Second Life helps our design teams
We don’t have a Social Media Policy yetWe’ve got firewalls and IPS so we’re sorted…
right?
Defence in depth, a distractionThe board thinks Defence in depth is mostly doneIt’s about technical solutions to technical problemsThey are distracted by the poor coding of
applications, and rightly soAnd they are concerned by the SOX control
deficiencies, that could make them smart a littleSurely the users can exercise a little common sense
But its all about the user, they are exposed
and in trouble
Agenda
So what can we do to reduce the likelihood?
Can you prevent state sponsored intrusion?
Is defence in depth just a feel good distraction?
If they [cyber criminals] want your IP then is it just a matter of time?
Elastic cloud computing or elastic intrusion?
Your IP, a matter of timeIf you are an interesting target then…yesCountless examplesThe recent "Operation Aurora" attacks showed how
world class IT and Defence companies could be caught out
Do you know where you Intellectual Property (IP) is?How is it managed?Who has access and why?How is it protected?Interestingly there are many organisations who are
unable to answer these simple questions, some have not categorised what their IP is…
Agenda
So what can we do to reduce the likelihood?
Can you prevent state sponsored intrusion?
Is defence in depth just a feel good distraction?
If they [cyber criminals] want your IP then is it just a matter of time?
Elastic cloud computing or elastic intrusion?
Risk taker
Risk averse
How do you see it?
Cloud provider
Start-up Mature businessCIO
Business unit LegalGovernance
Security
(E.g., Cost dominated) (E.g., Risk dominated)
CISO
Elastic computing, cloudYou are a target or will become a target where your
data is held alongside valuable informationGovernance/Compliance: maze of data handling rulesLegal maturity: Cloud models complex hard to define,
poor or non existent legal structures and precedentsCost: driving utilisation of possible high-risk providersData is fungible and can be transferred to lowest cost
cloud provider, without consent of customer – low cost provider may have poor or non existent policy and security
Elastic computing, cloudFirewalls can't manage access to cloud
applications because by definition these applications are accessed over the Internet outside the corporate firewall
Poor system authentication, authorisation and accounting (AAA) could facilitate unauthorised access to resources, privileges escalation, impossibility of tracking the misuse of resources and security incidents in general
Cloud makes password based authentication attacks (trend of fraudster using a Trojan to steal corporate passwords) much more impactful
Elastic computing, cloudGeography can lose all meaning, location
seems irrelevant – not able to tell where data is at any given point in time
Multiple data copies being stored in different locations – also true for private cloud
Public cloud economics is about trading available processing and storage capacity…data is fungible, and able to be moved …like trading electricity
Elastic computing, cloudYour organisation releases the elastic cloud
space previously used – it may be done by an aggregator you are unaware of
You think your data has gone…it’s still thereOrganised crime has identified thisThey watch for elastic cloud space release
and then buy upForensically examine and mine your
informationNo need to execute some elaborate intrusion,
just sit and wait
Agenda
So what can we do to reduce the likelihood?
Can you prevent state sponsored intrusion?
Is defence in depth just a feel good distraction?
If they [cyber criminals] want your IP then is it just a matter of time?
Elastic cloud computing or elastic intrusion?
Reducing the likelihoodThe advent of the netcentric world has
changed the threat environment dramaticallyOrganisations need to reassess how they
collect, analyse and use intelligenceOffence must inform defenceReduce your company attractiveness, make
someone else the targetThere is a need to find the right balance
between security and transparency – pragmatic approach
Reducing the likelihoodDrive change from the topDeliver Social Media PolicyThreat modelling, coupled with a risk
assessment and risk management programTesting high risk groups of people within the
organisation for social engineering attacksImplement 2-factor authentication for all
remote users
Reducing the likelihoodA layered defence of active and passive
defencesActive defences may provoke, or violate
internet lawsDuty of preventionSocial Media Policy and OPSEC trainingEnforce application securing principlesEducation and awareness training for all staffPatch vulnerable systems
Reducing the likelihoodCloud computing must provide security on
par with what exists inside the firewall - compliance is impossible without controls
Password based authentication will become insufficient and a need for stronger or two-factor authentication for accessing cloud resources will be necessary
Requires intelligent cloud strategy from the very beginning
Reducing the likelihoodEmploy skilled staff with thorough
understanding of the network environment and then train them on the attacks and mindset of the cybercriminal
Remove domain admin accounts for end users
Ensure all logs produced are reviewed and acted upon
Education, education, education…Training, training, training…
Agenda
So what can we do to reduce the likelihood?
Can you prevent state sponsored intrusion?
Is defence in depth just a feel good distraction?
If they [cyber criminals] want your IP then is it just a matter of time?
Elastic cloud computing or elastic intrusion?
EndFor more information please contact
[email protected] the IT Duco blog to download the
complete forum raw transcript (Word doc, docx), you can also leave your comments there toohttp://duconotitia.blogspot.com/2010/06/intrusio
n-prevention-are-we-joking.html
A version of this slide deck will also be available on the blog
Thanks to all who contributed, writing into the blog and LinkedIn groups