how modern attackers are disrupting businesses like yours
TRANSCRIPT
Dave Mahon
CenturyLink and Cyber Security
C H I E F S E C U R I T Y O F F I C E R , C E N T U R Y L I N K
Security Concerns: What Keeps You Up at Night?
IDC Worldwide Big Data & Analytics Report for 2015
Am I meeting the latest regulatory requirements?
Will I pass the audit?
Do I need cyber insurance?
What sort of policy? What’s the cost?
Am I personally liable should
something happen to the company?
Is my brandat risk?
2
Am I going to get
breached?
783 US. data breaches tracked in 2014, with a 261% increase in size over 2013!
70 M credit cards compromised due to vendor leak
56 M credit cards leaked after security turnover & software issues.
Digital business assets exploited, damaging the brand, and taking down parts of the network for months.
$200 Million+$200 Million
$15 Million+
2014: The Year of the Data Breach
3
Five Primary Sources of Threats: Inside and Outside The Network
Employees
Malicious or not, represent up to 40%
of data breaches
INSIDER THREATS
Where is the danger? Top threats in 2014:
1. Malicious Code 2. Web-based attacks3. Web application attacks 4. Botnets5. DDos
6. Spam7. Phishing8. Exploit Kits9. Data Breaches10.Physical damage / threat / loss
11. Insider threats12. Information Leakage13. Identity Theft / Fraud14. Cyber espionage15. Ransomare
Protesters with an Axe to Grind
Promote political ends by targeting
specific companies
HACKTIVISTS
Zealots with Strong Views
Seek revenge, damage, change
TERRORISTS
Well Funded Criminals
Seek companies with customers and money to lose
CYBER CRIMINALS
Government Funded
Espionage
Target governments and private industry to further political change
STATE SPONSORED
4
Where is the Weakest Link in Your IT Security Strategy?
Watch our video to learn more about your potential vulnerabilities
info.centurylinkforbusiness.com/IT-Security_Weakest-Link.html
How the Underground Economy Works
Source: Michael Yip, The University of Southhampton, Oct 2012
ATTACK SERVICES
Zero-dayexploit finders
Malwareauthors
Botnetherders
Spammers Phishers
Intruders &Crackers
Rogue web admins
Rogue Hosting
Spoof websitedesigners
Bank datastealers
Plastic vendors& encoders
Cashiers Scammers
Identity theft & fraud
Carders
DELIVERY
BLENDEDSERVICES
FINANCIAL CRIME/INDENTITY THEFT
Game login/Envelopestealers
Virtual assettraders
Blackmailers Gangs/Mafia
TRADITIONAL ORGANISEDCRIMINAL GROUPS
VIRTUAL ASSETSTRADING
Virtual currency sellers
Mules/Drops
Exchangers
MONEY LAUNDERING
Security Serviceproviders
Needed by all parties
Flow of demand
Potential influence
Attack Example: State-Sponsored Espionage
Send Spearphishing Email
May 2013
Gain Access to network, steals token data
Using stolen RSA token data and credentials, logs into Lockheed’s VPN.
Attack detected only after an attempt to steal data.
March 2012
VictimsAerospace and defense organizations, computer hardware and software, legal, energy/gas, finance, telecommunications, mainly in the US
StolenIntellectual property: technology blueprints proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and executive email address /contact lists.
The Chinese People’s Liberation Army (PLA) accessed hundreds of terabytes of data from over 141 organizations from 2006 – 2011
Impact
Wanted by the FBI
7
Attack Example: Cyber-Criminals
“The biggest hack in U.S. retail history”
• $148M hard costs in 6 months• Loss consumer confidence • CEO/top execs forced to resign• 90 lawsuits in 90 days• USG investigations• Total costs could reach billions • 40 million Target customer credit card information• 70 million customer personal information
Target’s Point of Sale (POS) systems were infected with a “RAM scraping” attack. Unencrypted credit card data was collected as it passed through the infected machine’s memory before being transferred to Target’s payment processing provider. Target’s intrusion detection and anti-virus systems alerted on the malware but it was not acted upon.
September 2013
Rinat Shabayev develops BlackPOS malware and sells it online.
November 2013
In 2 days, Malware had reached most Target POS devices, and intruders were collecting live credit card transactions.
Phishing email sent to Target’s payment processing contractor Fazio Mechanical.
Hackers steal credentials and gain remote access to Target’s billing system.
Stolen data is FTP’d to external servers and appears for sale in online black markets.
Hackers move laterally inside Target’s network to access POS Systems and install BlackPOS malware.
December 2013
Impact
8
9
• Spearphishing attack • Similar malware, attack infrastructure, and tactics
previously used by North Korea.• Stole large amounts of sensitive corporate and
personal data. • Released destructive malware that deleted data and
rendered thousands of Sony computers inoperable.• Released Sony’s sensitive data to the public.
• Sensitive data made public including emails, scripts, salaries, and 47,000 employee records.
• Corporate data deleted • Thousands of employee computers
unusable• Damage to company image with
public, employees and industry talent.
• Financial cost of both remediating the attack & limiting movie’s release.Likely to prevent the release of Sony‘s movie, “The
Interview,” depicting a fictional plot to assassinate North Korea’s leader.
What?
9
Attack Example: Terrorists
Why?
Impact
Attack Example: Hacktivists
10
Offshoot of Anonymous LulzSec & Sony Pictures
May - June 2011
UAT Students “Join”LulzSec
Hack Sony Pictures website, access account info
Post stolen data on Pastebin
Goal: To “have fun,” embarrass website owners, ridicule security measures
Victim: Sony Pictures, protesting their action against a hacker for “jailbreaking” PS3
Impact: 37,000 comprehensive customer contact records including passwords stolen
Cody Kretsinger, 23(AKA “Recursion”)
Raynoldo Rivera, 18(AKA “Neuron”)
April 2012
Downloads first classified documents as Dell contractor in Hawaii
Edward Snowden - “Whistleblower”American cybersecurity expert, former CIA system admin and counter intelligence trainer at Defense Intelligence Agency (DIA). Leaked millions of classified documents to journalists.
Charged with: violating the Espionage Act, theft of government property, unauthorized communication of national defense information, and willful communication of classified intelligence. Fled to Russia in 2013 where he remains today.
Dec-Jan 2013
Flies to Hong Kong, reveals numerous NSA docs to Greenwald & Poitras
Snowden connects with reporter/ filmmaker Glenn Greenwald
New job gives him greater access to classified docs. Download 1.7 M files using spider program
First article published, Snowden goes public.
Leaks 1st intelligence reports, takes leave of absence after 4 weeks on the job.
Attack Example: Insider Threats
March 2013 April 2013 May 2013 June 2013
11
Collaborating On NISTCyber Security Framework
CenturyLink CEO on committee
Active contributor/participant
Who We Work With: CenturyLink Works with Many Government and Private Entities for National Security and Customer Protection
Permanent seat on NCCIC floor
Member ofCyber UnifiedCoordinationGroup
DEFENSE HOMELAND SECURITY JUSTICE
FCC
WHITE HOUSE, STATE, COMMERCE, AND STATE GOVERNMENTS PRIVATE SECTOR
Network Service Provider (NSP) Security (NSP-SEC)
Network Information Sharing Exchange (NSIE)
Defense Industrial Base Information Sharing Exchange (DSIE)
OPS-Trust
24/7 presence within DHS
CSRIC Working Groups
DIB Cyber Security / Information Assurance
Botnet TakedownsAPT Mitigations Global Infrastructure
Alliance for Internet Safety
12
13
INTEGRATING DATA FOR HOLISTIC THREAT PICTURE
1 Confidential
Enterprise Managed Security Portfolio
CENTURYLINK DATACENTER
MANAGED HOSTING
ENVIRONMENT
BranchOffice
CUSTOMER PREMISES
Headquarters
Fully Managed Defense-In-Depth Security
Security Services
CenturyLink SOC Comprehensive set of security products and services at the customer premise, in the network and at the
data center managed through the Security Operations Centers 24/7 Monitoring , Management and Incident Response Security Services Web Portal
IAAS CLOUD COMPUTING CONTROLS
• Robust reporting and self management portal
• Monitored and managed, with configuration support
•Security functionality provided from the network
NETWORK-BASED SERVICES
Corporate Firewall
Internet
Corporate Network
ThreatIntelligence
InternetTraffic
Analysis
CommercialSecurityProducts
CorporateNetworkTraffic
CriticalInfrastructure
ProtectionECS / IPSS
OpenSource
Thank YouDave Mahon
Let us help you discover & overcome your infrastructure’s more vulnerable points
Take the Assessment