Safer Technology Through Threat Awareness and Response
Stephen Cobb, CISSPSenior Security Researcher
Threat awareness = know your enemy
We all know there are threats, but do we have a clear picture of them?
What are the main threats?
What can we do to defend against them?
What is behind data security breaches?
1. Malware involved in 69% of breaches2. Hacking* used in 81% of breaches
Verizon 2012 Data Breach Investigations Report
*80% of hacking is passwords: default, missing, guessed, stolen, cracked
3rd element: deception
Used in many types of attack, like this recent attempt to plant a Trojan
Clicking either link and you will be infected
(Unless you are running a good AV program)
What do cyber criminals want with our digital devices and data?
36 ways to abuse a hacked device• Spam zombie• DDoS extortion zombie• Click fraud zombie• Anonymization proxy• CAPTCHA solving zombie
• eBay/PayPal fake auctions• Online gaming credentials• Website FTP credentials• Skype/VoIP credentials• Encryption certificates
• Fake antivirus• Ransomware• Email account ransom• Webcam image extortion
• Bank account data• Credit card data• Stock and 401K accounts• Wire transfer data
• Phishing site• Malware download site• Warez piracy server• Child porn server• Spam site
• Harvest email contacts• Harvest associated accounts• Access to corporate email• Webmail spam• Stranded abroad scams
• Facebook• Twitter• LinkedIn • Google+
• Online gaming characters• Online gaming goods/$$$• PC game license keys• OS license key
Based on original work by Brian Krebs: krebsonsecurity.com
Webserver
Botnetactivity
Email attacks
Virtualgoods
Reputationhijacking
Financial credentials
Hostage attacks
Account credentials
IMPACTADVANTAGEMONEY
CREDENTIALS
What’s their motivation?
The Office of Naval Research and the rail gun• Fires a projectile at 5,000 mph with a range of 100
miles• Small businesses responsible for 86 individual sub-
contracts worth $20m
Verizon 2012 Data Breach Investigations Report
1 to 10
11 to 100
101 to 1,000
1,001 to 10,000
10,001 to 100,000
Over 100,000
0 100 200 300 400 500 600
720 breaches by size of organization (employees)
SMBs
The SMB sweet spot for the cyber-criminally inclined
Assets worthlooting
Level of protection
Big enterprise
SMB “sweet spot”
Consumers
Tools of the trade
To get into cyber crime you need:A. To be a programmer? NoB. To buy equipment? NoC. To have you own servers?
No
Crime kits are slick, easy-to-use, and you can rent them.
Consider the Serenity exploit kit
Thriving markets for credentials
All driven by proven business strategies
Specialization Modularity
Division of labor Standards
Markets
So how do you defend your devices?
Three main attacks …. and defenses
Scanning
Authentication
Malware
Hacking
AwarenessDeception
Scanning doesn’t work if you don’t use it
Scan devices while connected
Scan devices prior to connection
Require AV on mobile devices
0% 5% 10% 15% 20% 25% 30% 35% 40%
Measures in use at a sample of 82 healthcare facilities
98% experienced one or more breaches of PHIPonemon Institute Third Annual Benchmark Study on Patient Privacy & Data Security
Authentication beyond passwords
Passwords exposed in 2012: 75,000,000Need to add a second factor to authentication2FA raises the bar for attackers trying to get at your corporate network
Awareness: a powerful weapon
• Think before you click/open• If it sounds too good…• Just because your friend said…• Resources:
• Securing Our eCity• We Live Security• Podcasts and webinars• ESET Smart Security
Security news and how-tos
Thank you!
• Visit www.WeLiveSecurity.com