is your website the soft underbelly of your organisation?

Is your website the soft underbelly of your organisation? 1

Is your website the soft underbelly of your organisation?

Andrew HorburySenior Product Marketing Manager - Symantec

Today’s Agenda


What is an APT and targeted attacks1

Spear Phishing

Targeted attacks by co. size and vertical

Cybercrime and targeted attacks

Watering hole attacks

Vulnerabilities

Next steps

2

3

4

5

6

7

What is an APT?• A type of targeted attack

– Using a variety of techniques• Drive by downloads• SQL Injection• Phishing• Spam• Spyware• And more…..

• An APT is always a targeted attack but atargeted attack is not necessarily an APT.

• APTs differ for targeted attacks:– Customized

– Low and Slow

– Higher Aspirations

– Specific AttacksIs your website the soft underbelly of your organisation? 3

GhostNet

• GhostNet is perhaps a stand out classic example of a long-term, persistent, targeted attack

• Starting in May 2007 it continued for nearly two years, infecting some computers for as long as 660 days


What is a targeted attack• Targeted attacks

– Aimed at one person or a specific group

– Driven by financial motives cybercriminals targeted attacks are replacing global widespread virus outbreaks.


6

Send an email to a person of interest

Spear Phishing

7


Spear Phishing

Infect a website

and lie in wait for

them

Watering Hole

Attack

Spear Phishing


• Research shows that calling ahead adds credibility to a targeted attack

Using the Phone to back up a Phishing Attack• What can attackers do to improve success rate of phishing

email?• On 11 April 2013, an employee in an “Organisation A” in

France received a phone call• French speaking caller, urges her to download an invoice

from a link she will receive through email• Link doesn’t go to an invoice but instead

installs a version of W32.Shadesrat, a well-known Remote Access Trojan.

9Is your website the soft underbelly of your organisation?

10

Targeted Attacks by Company Size

Greatest growth in 2012 is at companies with <250 employees

Small business often not well protected, but connected to others

Employees2,501+

50% 2,501+ 50% 1 to 2,500

50%

1,501 to 2,500

1,001 to 1,500501 to 1,000251 to 500

1 to 250

18%in 2011

9%

2%3%5%

31%


11

Targeted Attacks by Company Size

Greatest growth in 2012 is at companies with <250 employees

Small business often not well protected, but connected to others

Employees2,501+

50% 2,501+ 50% 1 to 2,500

50%

1,501 to 2,500

1,001 to 1,500501 to 1,000251 to 500

1 to 250

18%in 2011

9%

2%3%5%

31%

87% of SMBs suffered a cyberattack last year, only

44% see security as a priority


12

Transportation, Communications, Electric, Gas

Aerospace

Retail

Wholesale

Services – Professional

Energy/Utilities

Government

Services – Non-Traditional

Finance, Insurance & Real Estate

Manufacturing

0% 5% 10% 15% 20% 25% 30%

1%

2%

2%

2%

8%

10%

12%

17%

19%

24%Manufacturing



Government

Energy/Utilities


Wholesale

Retail

Aerospace


Targeted Attacks by Industry: 2012


13


Aerospace

Retail

Wholesale


Energy/Utilities

Government



Manufacturing

0% 5% 10% 15% 20% 25% 30%

1%

2%

2%

2%

8%

10%

12%

17%

19%

24%Manufacturing



Government

Energy/Utilities


Wholesale

Retail

Aerospace


Targeted Attacks by Industry: 2012


0%

5%

10%

15%

20%

25%

30% R&D27%

Senior12%

C-Level17%

Sales24%

Shared Mailbox

13%

Recruitment4% Media

3% PA1%

• Attacks may start with the ultimate target but often look opportunistically for any entry into a company

14

Targeted Attacks by Job Function: 2012


Why is a targeted attack different from ‘vanilla’ cyber crime?

15


cyber crime Targeted attack“Advanced Persistent Threats (APT)”

Aurora, Nitro, NightDragon, ShadyRAT, Taidoor, LuckyCAT

16


What does CyberCrime mean?

17

Online banking credentials

P.I.I / Credit Card numbers

Fake AV

Purchasing scams / Fraud

Botnet &Pay Per Install


Cyber crime Targeted attack“Advanced Persistent Threats (APT)”

Aurora, Nitro, NightDragon, ShadyRAT, Taidoor, LuckyCAT

18


Cost of a data breach• In 2012, the average per capita cost of a UK data breach caused

by a malicious or criminal attack was $157.*• The most and least expensive breaches.

– German and US co’s had the most costly data breaches ($199 and $188 per record

– These countries also experienced the highest total cost (US at $5.4 million and Germany at $4.8 million). The least costly breaches occurred in Brazil and India ($58 and $42, respectively). In Brazil total cost was $1.3 million and in India it was $1.1 million.

*Source: http://www.symantec.com/content/en/us/about/media/pdfs/b-cost-of-a-data-breach-global-report-2013.en-us.pdf?om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedin_2013Jun_worldwide_CostofaDataBreach Is your website the soft underbelly of your organisation? 1

9

http://www.symantec.com/content/en/us/about/media/pdfs/b-cost-of-a-data-breach-global-report-2013.en-us.pdf?om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedin_2013Jun_worldwide_CostofaDataBreach






It’s not just about direct attacks or e-mail

20


21

Targeted Attacks predominantly start as spear phishing attacks

In 2012, Watering Hole Attacks emerged


Spear Phishing

Infect a website and lie in wait for them

Watering Hole Attack


22

Effectiveness of Watering Hole Attacks

Watering Hole attacks are targeted at specific groups

Can capture a large number of victims in a very short time

http://bit.ly/Elderwood

Infected 500 Companies

Watering Hole Attack in 2012

1All Within 24 Hours


Watering Hole Targeted iOS Developers

23

In 2013 this type of attack will become widely usedSeveral high profile companies fell victim to just such an attack


Recent Examples of Water Hole Attack

• In 2013 we predict this type of attack will become more widely used

• In February this year several high profile companies fell victim to this type of attack

24


Zero-Day Vulnerabilities

2006 2007 2008 2009 2010 2011 2012

13

15

9

12

14

8

14

Total Volume

Total Volume

25


Zero-Day Vulnerabilities

2006 2007 2008 2009 2010 2011 20120

5

10

15

20

25

1315

912

14

8

14

42

3 4

Total VolumeElderwoodStuxnet

One group can significantly affect yearly numbersThe Elderwood gang drove the rise in zero day vulnerabilities

26


All vulnerabilities

2006 2007 2008 2009 2010 2011 20120

1000

2000

3000

4000

5000

6000

7000

All vulnerabili-ties 5291

All vulnerabilities

• No significant rise or fall in discovery of new vulnerabilities in last six years

27


2010 2011 20120

10,000

20,000

30,000

40,000

50,000

60,000

70,000

80,000

74,000

55,000

43,000

New unique malicious web domains

DecreaseIn new malicious domains

28


29

30% increasein web attacks blocked…

190,370

2011 2012

247,350


30

Our Websites are Being Used Against Us

61%of web sites serving

malware are legitimate sites 25%

have critical vulnerabilities unpatched

53%of legitimate websites have unpatched vulnerabilities


Warning…..your site is infected and you might never recover


What do I need to do now?• Employees: your first line of defence

– 38 percent of employees say their manager views data protection as a business priority

• Security awareness and the respecting the value of company data needs to be ingrained throughout the company culture


What happens when the first line fails• Use spyware to log keystrokes, switch on microphones and cameras

and record with them, and listen in on VOIP calls and IM• Use your servers and websites to launch additional malware attacks• Infiltrate your email system to distribute spam or, more, likely further

targeted attacks• Look for further vulnerabilities in your network to exploit• Monitor your network and website traffic• Infect your websites to target visitors with malicious code• Search for encryption keys in your servers• Export customer data, intellectual property and financial information• Take control over automated systems• Send messages from and display messages on individual devices.


Knowledge and technology: your second line of defence


Assessment type What we look for

Malicious Activity Uncover and analyse malicious activities in your environment, such as suspicious network activity

Targeted Attacks Look for evidence of infection specific to your organisation

Data Loss Find data spills that could be targets for hackers

Vulnerability Analyse web applications, databases, servers, and network devices for vulnerabilities.

Protection through policy: your final line of defence

Ponemon 2013 Cost of Data Breach Study* found:• A strong security posture, reduced the per capita cost by $20• An incident response plan, reduced the per capita cost by $20• The appointment of a Chief Information Security Officer (CISO)

who has centralised responsibility for data protection, which reduced the per capita cost by $14

* Pomenon 2013 Cost of Data Breach Study

http://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=ponemon-2013







How Symantec can help (Print Screen) Symantec technology What it does How it can help

Symantec Extended Validation SSL Certificates

Encrypts confidential information, such as credit card data, between the browser and your servers. Also confirms the identity of the website in the browser address bar.

• Powerful encryption• Visible security• Authenticates the website• Greater customer trust• Increased conversions.

Web Site Malware Scanning Scans websites for malware infections. Reduces the risk of warnings and blocking by search engines and the risk of reputation damage when a site infects its visitors.

Symantec Managed PKI for SSL Lets website managers keep track of all their SSL certificates from a web-hosted management console.

Reduce the risk of accidental certificate expiry and credibility-damaging certificate warnings.

Always-on SSL with Symantec Secure Site Pro SSL Certificates

Always-on SSL is used by sites such as Google, Facebook and LinkedIn to protect all the user’s interactions with the site.

Build trust and encourage user interaction by making sure that it is all encrypted and secure.

The Norton™ Secured Seal Shows customers that you value their trust and that your site is secure because it has been scanned weekly for malware and vulnerabilities.

The Norton™ Secured Seal is the most recognised trust mark on the Internet

Symantec Seal-in-Search™ Displays the widely-recognised Norton Secured Seal trust mark in web search results.

Increase search trafficIncrease customer trust and confidence.

36


Stay informed

• Follow us on twitter @nortonsecured @threatintel• www.symantec.com/threatreport • go.symantec.com/ssl• Blogs

www.symantec.com/connect/blogs/website-security-solutions

37


http://www.symantec.com/threatreport

http://www.symantec.com/connect/blogs/website-security-solutions

http://www.symantec.com/connect/blogs/website-security-solutions

Thank you!

Copyright © 2013 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.


Andrew [email protected]+44 207 4485 623

is your website the soft underbelly of your organisation?

Technology

targeted attack

home tab

spear phishing

soft underbelly

desired object

text box

type ctrl

select text