Cybersecurity The Latest Threats

Defend. Discover. Remediate.

Peter Romness Business Development Manager Public Sector Cybersecurity Cisco Systems Inc. promness@cisco.com
1

What do the bad guys want?

Money/Financial Disruption Strategic Advantage

The Threat Evolution

Enterprise Response
Anti-virus (Host based) IDS/IPS (Network Perimeter) Reputation (global) & Sandboxing Intelligence & Analytics (Cloud)
INCREASED ATTACK SURFACE
(MOBILITY & CLOUD)

SPYWARE / ROOTKITS

APTs CYBERWARE

Threats
WORMS

2000

2005

2010

Tomorrow
3

Examples of Cyber Threats in the News

Stuxnet
Night Dragon
Shamoon Threat Characteristics:
Custom-written for target Bypass the perimeter Spread laterally on internal network where detection abilities were limited Evade traditional detection techniques

Zeus (Zitmo)
Buckshot Yankee Citadel
SpyEye (Spitmo)

Nitro

DuQu

Flame Sykipot

Aurora

Shady Rat
4

Cyber Threats
Effectiveness of Phishing
More than 95% of all attacks tied to State-Affiliated espionage employed Phishing as a means of establishing a foothold in their intended victims systems.

- Verizon Data Breach Report

5

Cyber Threat Detection Current Status

How Malware is Found

49% External Party LE, Fraud Detection Org., Customer etc1 28% Self Detection Passive Employee, Slow Network etc1 16% Self Detection Active Security Devices1

How Long Until Threats are Found

*416 Average number of days an Advanced Persistent Threat sits on your network before detection!7

Compromise Is Not If, But When

59% of organizations believe they have been cyber threat targets5 46% believe they are still highly vulnerable despite increased prevention investments5

1Verizon

Data Breach Report; 2US House Intelligence; 3NSA; 4Bloomberg; 5GAO; 6 ESG 7Mandiant
6

Loss of Revenue
Cost of Cyber Breach

$1T/year private sector revenue loss from cyber espionage2 $100B/year Cost of Cybercrime in US6

$1B/year in Cyber Bank Robberies4

$43M/year for traditional bank robberies

$? State data record breaches + indirect costs

25% of stolen PII records = victims of Identity Fraud

Cost of a Cyber Breach - South Carolina

1Verizon

3.8M tax records stolen

$20M for notification and credit checks + $25M for remediation $11.84 per record so far Taxpayer confidence lost added costs due to paper tax filing

Data Breach Report; 2US House Intelligence; 3NSA; 4Bloomberg; 5GAO; 6 McAfee / CSIS
7

Top 10 Government Breaches 2012

1.
2.

3.

4. 5. 6.

7.

8.

9. 10.

South Carolina Department of Revenue - 3.8 million tax returns phishing attack California Department of Social Services Sensitive payroll information - 700,000 individuals - mail en route between IT contractors and the Department of Social Services Utah Department of Health Health information and PII - 780,000 Utah citizens - Eastern European hackers taking advantage of poor authentication configuration following database migration to a new server. California Department of Child Support Services Sensitive health and financial records- 800,000 records - lost FedEx shipment United States Bureau of Justice Statistics Embarrassed - 1.7 GB of sensitive data leaked, emails / data dump City of Springfield, MO City claims 2,100 records Anonymous claims more than 1,000 vehicle descriptions from online police reports and records from more than 280,000 summons filed in city digital data stores. United States Navy & DHS Usernames, passwords, email IDs, and security questions and answers for all users on Dep. Websites - Blind SQL injection attacks. Wisconsin Department of Revenue Sensitive seller information - 110,000 people and businesses who sold property in 2011 -embedded file in a Microsoft Access file NASA PII 10,000 employees - unencrypted agency laptop, stolen from employees car New Hampshire Department of Corrections Unauthorized Access inmates accessed the main offender management database system.
8

Cybersecurity
Nation States

Your View?
Government Regulations Internal Policies NIST Policy Reputation

Revenue Loss
DOD 8570

Malware

Customer

Property Destruction Anonymous

Hackers

Intellectual Property Theft

Education Partners

PII Theft
Embarrassment
NERC CIP

Allies

Advanced Persistent Treat

Insider Threat

DISA STIG

Protecting National Security

Money Theft

MS-ISAC

Espionage
9

Governance

Regulations
Standards Education Application Presentation Session
Policy

Cybersecurity Scope

User Network Systems

Content Security

Transport Network
Data Link Physical Cisco
Advanced Services
Network Security

Secure Network Fabric

Distribution Delivery

Partner
Supply Chain Counterfeit Channels

Trusted Systems

Cybersecurity
10

Protecting the Castle

Safe Supplies Subjects Trained Wall, Moat & Bridge Guards at Gate & Walls

Internal Patrols

11

Protecting the Enterprise

Secure Safe Supply Supplies Chain Personnel Subjects People Training Trained Wall, Perimeter Moat & Protection Bridge Guards Access at Gate Control & Walls

Continuous Internal Monitoring Patrols

12

Goal Identify Attacks Early

Network Visibility and Security Intelligence
vulnerability closed

Detect and Resolve Advanced Threats

Accelerate Incident Response and Forensic Investigations Reduce Operational and Enterprise Risks

Impact to the Organization

attack identified

data compromised Mean Time To Know

attack identified

attack onset

early warning

attack thwarted

* *

CRISIS REGION

*
Time

vulnerability closed

13

13

Education, Training & Testing

IT Management & Workforce

Promote Formal Education and Training SANS Institute / MS-ISAC / University Certifications

Certified Cybersecurity Analyst

CCNA CCNP- CCIE CISSP

User

Cyber Threats Compromise Instructions DOD Model

Testing

Security Assessment Network Penetration Testing Etc Cyber Exercises

14

Take aways

There is no Silver Bullet Silver Buckshot Good News You already have much of what you need It is manageable Train you People Look into Internal Network monitoring Try to Sleep well

15

Peter Romness promness@cisco.com

16

How Malware Works

Progression into the network
Gets In Receives Instructions Spreads Hides

Initial Infection Vector

Command and Control

Propagation Mechanism

Persistent Mechanism

Hacking Email Web Flash Media

Web P-2-P DNS

User Interaction Autorun USB Network Browser Plug-ins

Registry

Kernel rootkits Device drivers

17

Implications for Security

Functions need to work as a system

Defend

Discover

Remediate

Policy & Access Control

Blocking

Increased Content Inspection Behavior Anomaly Detection

Assess Environment & Threat

Advanced Forensics
Contain

Quarantine Advanced Threats Re-routing Traffic Inside the Network

Fix
18