lumension security - adjusting our defenses for 2012
DESCRIPTION
Endpoint security is most important in 2012. Some statistics and predictions by expert, Mr.Paul A. Henry MCP+I, MCSE, CCSA, CCSE, CISSP-ISSAP, CISM,.TRANSCRIPT
Adjusting Our Defenses For 2012The following presentation reflects the opinions of the author
Paul A. HenryMCP+I, MCSE, CCSA, CCSE, CISSP-ISSAP, CISM, CISA, CIFI, CCE, ACE, GCFA, VCP4/5, vExpert
Security & Forensic Analyst
Quick Review – Notable Issues In 2011
•Notable issues in 2011» DigiNotar » The Beast» Epsilon Breach» Sony Breach» RSA Breach» Android Malware Growth» BYOD Adoption
2PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
DigiNotar
•Hackers compromised DigiNotar and made off with 500 Certificates
•They quickly generated numerous illegal certificates including one for Google.com which reportedly was used by the Iranian government to spy on 300,000 Iranians
•Apple, Google, Microsoft, Mozilla and Opera released updates to block users from sites using DigiNotar related certificates» Apple was slow in pushing out an update that actually worked» The issue highlighted a problem in updating mobile devices as users
were dependent on the update from their carrier
•Fast responses from (some) vendors mitigated a HUGE risk but it was perhaps to little to late for dissidents in Iran
3PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
The Beast
•The Beast - Hackers found a weakness in version 1.0 and earlier versions of TLS that could allow an attacker to silently decrypt data that's passing between a webserver and an end-user browser» Plain text recovery attack
•Problem was that at the time of its discovery that was the predominate version of TLS used by most browsers
•Browser vendors responded quickly with updates to newer and unaffected versions of TLS in their browsers» What about all the VoIP phones in use today» We have not heard the last of the issue
•Fast responses from (some) vendors mitigated a HUGE risk
4PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Epsilon
•Epsilon – The company handled mailing lists for 2500 clients including 7 of the Fortune 10» …. Jonathan Zittrain, a professor of law at Harvard Law School and co-
founder of the Berkman Center for Internet & Society, told Brian Krebs, Epsilon was lazy in its security. "Worse, customers who specifically asked to opt out of marketing emails were also affected. Opting out should mean genuine removal from the database, rather than retention in the database with a marker indicating that someone has opted out.”…. Source Computerworld
•Epsilon - a rolodex for hackers in Spear Phishing attacks•The Epsilon hack highlights the danger of a large amount of data entrusted to a single vendor… and perhaps highlights the potential risks of large data-stores in the Cloud
•Don’t keep all the eggs in a one basket and validate the security of your provider
5PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Sony Breaches
•Sony – Perhaps targest theft of identity information on record» Un-patched Redhat server connected directly to the Internet
without a firewall• What did they really expect was going to happen….
•We can not confirm that Credit Card information was taken…» Yes when you don’t have a firewall in front of the server you will
not have logs to determine what was removed from the server…
•The estimated costs to Sony as a result of the breach go as high as $5.6 BILLION
•Using good security to prevent a breach is cheaper then cleaning up the mess afterwards…
6PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
RSA (1)
•When a small to medium sized company has a breach they are punished for being irresponsible» When it happens to a behemoth it is unapologetically called
APT
•So many questions remain…» Why was RSA not using their own products to protect their
environment?
» Why was Amazon not taken to task after it was revealed that the Amazon Cloud was used in cracking the internal passwords to facilitate the RSA breach?
» Why has no one mentioned that the current issue with RSA Tokens seems eerily similar to the problem with the Pre-AES Tokens back in 2000 – See Cain & Able
7PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
RSA (2)
•With the RSA breach what did we learn?
» Policies without technical safeguards are useless
» Passwords still suck
» Hard shell / soft center is not simply not an acceptable security posture in the current threat environment
» Apparently if you’re a behemoth you can get away with having poor security and calling the attack an APT
8PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Android Malware (1)
•Fastest growing mobile OS•Over 300,000 Android activations a day•Android overtook iOS as the dominant OS in US during 2H 2010
•First phone launched HTC G1 in 2008•Currently an OS of choice for Motorola, HTC, Samsung, Sony Ericsson, among others
Android Malware (2)
•With all of the news about malicious Droid Apps downloaded from the Droid Marketplace it is clearly apparent that testing apps is perhaps not a high priority before turning them loose on users
Android Malware (3)
•A good example of Android security issues was highlighted with Angry Birds. Duo Security showed us that it was possible to install an app that allowed the unprompted installation of arbitrary applications with arbitrary permissions on a victim’s device
http://blog.duosecurity.com
When Angry Birds Attack
•Hmmm…
When Angry Birds Attack
•Ouch…
The Droid Dream Fiasco
•There are serious issues over at Google’s Android Market
15PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Android – The Road Ahead In 2012
• If you use an Android smartphone you are now 2.5 times more likely to encounter malware (malicious software) than you were six months ago.
•In 2011, 30% of Android users were likely to encounter a Web-based threat such as phishing scams, "drive by downloads" and browser exploits.
http://www.cnn.com/2011/TECH/mobile/08/04/lookout.threat.report.gahran/
16PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
BYOD – Blind Adoption
• A recent survey of Companies with 2,000 or more employees indicated that 70% permitted BYOD yet less then 30% had policies to address device security
17PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Considerations - Moving Forward in 2012
•Java•QRCodes•BYOD •Injection Malware•VoIP Attacks•Virtualization
Our Flaw Remediation Is Missing The Target
•Since 2009 the most hacked software was 3rd party apps and browser add-ons like Adobe and Quicktime.
•In Q4 2011 the new leading threat vector became Java
•Yet we focus our attention on patching Microsoft OS/Applications.
18
The bad guys know it… and are taking full advantage
QR Codes
•QR codes are becoming the new SPAM» In the simplest of terms a QR Code (or Quick Response
code) is a two dimensional barcode that can contain up to 4,296 alphanumeric characters.
» Their popularity has of course exploded one recent study showed that in June of 2011 over 14 million Americans scanned QR Codes with their mobile phone.
Talk About Bad Timing
•Malicious URLs are at all time highs – from Q2 2011 to Q4 2011 they are up an additional 89%
•QR scanning growth is exploding – the Mobile Barcode Trend Report provides interesting statics:»Active users of QR Codes is up 525%»Average number of scans per code is up 39%
Talk About Bad Timing (2)
•Mobile Marketer reports QR code scanning is up 4,549%
• It’s easy for anyone to create a QR code with any kind of content
• Mobile devices such as iPhones and Androids out of the box are poorly equipped to deal with filtering QR codes and their underlying URLs
Talk About Bad Timing (3)
•Malicious QR codes are already making money for the bad guys. It is a certainty that the use of malicious QR codes will expand.
BYOD (1)
•Organizations are embracing BYOD without considering the security risks
•At the same time the landscape of mobile devices is changing dramatically
BYOD (2)
•The time to get serious about security in BYOD is long over due
BYOD (3)
•Long overdue Google Bouncer
Injection Malware (1)
•Inserting malware in to a running process is now common
Injection Malware (2)
Injection Malware (3)
Hactivism Continues To Grow
•Anonymous is getting even more aggressive
Hactivists Have Discovered VoIP
VoIP – The Song Remains The Same…
VoIP Is Becoming A More Popular Vehicle
What Took So Long?
1
2
3 4
Wireshark – VoIP Call Sniffing / Recording
UCSniff – Automated VoIP VLAN Hopping
Virtualization – The Stars Are In Alignment (1)
Virtualization – The Stars Are In Alignment (2)
2012 Initiatives
1. Adjust flaw remediation program immediately to include Java
2. Establish policies for QRcodes and deploy technical safeguards – Mobile device URL filter?
3. Establish policies for BYOD and deploy technical safeguards – many are free !
4. No longer your grandfathers malware - Migrate to White Listing / Application Control
5. Get control of VoIP before it controls you6. Virtualization is ripe for the picking, the party is
over Host and Guest security must be a priority