Brksec 2001

BRKSEC-2001
Emerging & Evolving Threats

Follow us on Twitter for real time updates of the event:
@ciscoliveeurope, #CLEUR
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2001
2
Housekeeping
We value your feedback- don't forget to complete your online session
evaluations after each session & the Overall Conference Evaluation
which will be available online from Thursday
Visit the World of Solutions and Meet the Engineer
Visit the Cisco Store to purchase your recommended readings
Please switch off your mobile phones
After the event dont forget to visit Cisco Live Virtual:
www.ciscolivevirtual.com
Follow us on Twitter for real time updates of the event:
@ciscoliveeurope, #CLEUR

3
Agenda
Tomorrows world
Setting the scene : Threats - overview & definitions
Year in Review : recent & evolving threats
Emerging threats : trends for 2012-2014
How do we respond ?
Please raise your hand if you attended
this session last year ?
5
Agenda
Tomorrows world
Emerging threats : trends for 2011 & 2012
How do we respond ?
6
A mobile phone: 97%
The Internet: 84%
A car: 64%
My current partner: 43%

Source: BITKOM Bundesverband Informationswirtschaft, Telekommunikation und neue Medien e.V., 2010

I cannot imagine a life without

The Impact the Internet has on our Life
% of the 14-29 year population

7
Local and remote collaboration
are considered equal
Collaboration Everywhere
8
We will be able to Do Work, Not Go To Work
9
Corporate Networks and offices will be different
10
Security policies need to be identity & context-centric
11
Privacy in 2020 = Privacy in 2010?
12
The Extinction Timeline
2012: Fax machines
2014: Getting lost
2017: Wired Ethernet for end users
2018: Laptop (replaced by Thin Client)
2020: Copyright
2021: Dial tone
2027: Phone numbers
2030: Keys
2033: Coins
2045: Employment (personnel cloud mturk.com)
2049: Physical newspapers
2050: Office buildings

Source: rossdawsonblog.com/weblog/archives/2007/10/extinction_time.html and Cisco Innovation workshop, December 2010
13
Agenda
Tomorrows world
Emerging threats : trends for 2011 & 2012
How do we respond ?
14
What? Where? Why?
What is a Threat?
An indication or warning of probable trouble
Where are Threats?
Everywhere you can, and more importantly, cannot think of
Why are there Threats?
The almighty dollar (or euro)
Political and nationalistic motivations
Personal motivations
15
Criminal Specialization Driving More
Sophisticated Attacks
The Evolving Security Threats
Web Ecosystem Becomes Number
one Threat Vector
Criminals Exploit Users Trust, Challenging
Traditional Security Solutions
Creative Methods (Business Models)
Used to Attract Victims
15
16
Criminal MBA:
Emulating Successful Businesses
Market and business intelligence
Customer acquisition and services
Products and services
Partnerships and affiliations
Professional services

17
Cybercrime Business Cycle
Group develops and tests custom malcode
Custom malcode is made available for purchase
Hosting environments are paid to host malicious code on sites that they control
bulletproof servers
Malcode downloaded to compromised devices by pay-per-install affiliates
Malcode collects information to sell (multiple accounts, associations, IP,
sensitive information)
Bank Account credentials, identities, website admin credentials also for sale
18
Criminals #1 Tool: Botnets

0
5000
10000
15000
20000
25000
30000
3
0
/
0
9
/
2
0
0
6
0
2
/
1
0
/
2
0
0
6
0
4
/
1
0
/
2
0
0
6
0
6
/
1
0
/
2
0
0
6
0
8
/
1
0
/
2
0
0
6
1
0
/
1
0
/
2
0
0
6
1
2
/
1
0
/
2
0
0
6
1
4
/
1
0
/
2
0
0
6
1
6
/
1
0
/
2
0
0
6
1
8
/
1
0
/
2
0
0
6
2
0
/
1
0
/
2
0
0
6
2
2
/
1
0
/
2
0
0
6
2
4
/
1
0
/
2
0
0
6
2
6
/
1
0
/
2
0
0
6
2
8
/
1
0
/
2
0
0
6
3
0
/
1
0
/
2
0
0
6
0
1
/
1
1
/
2
0
0
6
0
3
/
1
1
/
2
0
0
6
0
5
/
1
1
/
2
0
0
6
0
7
/
1
1
/
2
0
0
6
0
9
/
1
1
/
2
0
0
6
1
1
/
1
1
/
2
0
0
6
1
3
/
1
1
/
2
0
0
6
1
5
/
1
1
/
2
0
0
6
1
7
/
1
1
/
2
0
0
6
1
9
/
1
1
/
2
0
0
6
2
1
/
1
1
/
2
0
0
6
2
3
/
1
1
/
2
0
0
6
2
5
/
1
1
/
2
0
0
6
2
7
/
1
1
/
2
0
0
6
2
9
/
1
1
/
2
0
0
6
0
1
/
1
2
/
2
0
0
6
0
3
/
1
2
/
2
0
0
6
0
5
/
1
2
/
2
0
0
6
0
7
/
1
2
/
2
0
0
6
0
9
/
1
2
/
2
0
0
6
1
1
/
1
2
/
2
0
0
6
1
3
/
1
2
/
2
0
0
6
1
5
/
1
2
/
2
0
0
6
1
7
/
1
2
/
2
0
0
6
1
9
/
1
2
/
2
0
0
6
2
1
/
1
2
/
2
0
0
6
2
3
/
1
2
/
2
0
0
6
2
5
/
1
2
/
2
0
0
6
2
7
/
1
2
/
2
0
0
6
2
9
/
1
2
/
2
0
0
6
High Profile Bots, 4Q10
Source: Cisco IPS
Rustock
GBot
Grumbot
Pushdo (aka Cutwail)
Swizzor
Top Ten Botnets are spam and data theft

Despite takedown and vacations, top Botnets reinvent and reshape
(Waledac/Storm, Mariposa, Rustock, Coreflood)

19
Fast Flux and Double-flux
C&C system is
hidden
Very low time to
live (TTL) in DNS
A Record
Botnets are the
new DNS servers
Now double-flux
with multiple
disposable DNS
servers per
malicious domain

Source: www.honeynet.org
20
Criminal SaaS Offerings Expand
Service dedicated to checking if a malware executable is detectable by AV
engines:
21

Social Engineering: 7 Deadly Weaknesses
1. Sex Appeal its still the best seller
2. Greed - too good to be true
3. Vanity - you are special right?
4. Trust - Implied or transient
5. Sloth - dont check, its probably okay
6. Compassion - pleasedonations, lost, need help, any emergency,
disaster.
7. Urgency - must act now, time is running out

22
The Exploitation of Trust:
Cybercriminals Most Powerful Weapon
Implied Trust: An individual,
business or organizations that users
are familiar with and implicitly trust:
Email security updates form major
vendors, their banks, government
agencies, FedEx/UPS/DHL

Transient Trust: The six degrees
of separation/Small World
Experiment, chain of trust, friend of a
friend, of a friendinherently flawed
trust model used on social networks
23
Examples of Threats
Targeted Hacking
Vulnerability Exploitation
Malware Outbreaks
Economic Espionage
Intellectual Property Theft or Loss
Network Access Abuse
Theft of IT Resources
Denial of Service
24
Agenda
Tomorrows world
How do we respond ?
25
Cisco 2009 Cybercrime ROI Matrix
26
27
28
A Day in the Life of a Money Mule
I need a
job!
Recruited
and
passed to
handler
Handler
provides
mule
instructions
to open
accounts
Handler
coordinates
transfers from
operators to mule
Mule withdraws
funds and send
via transfer

Handler collects or
other mules transfer
again
Mule is
abandoned or
arrested

29
Some 2011 Cyber Security Top Ten
Industrial / SCADA network attacks : StuxNet / Duqu
Targeted attacks : Sony, Lockheed Martin, AT&T
Anonymous
LulzSec
Ivy League Academic Content turbo downloader
DNSchanger
Apple iPad Snoop
Celebrity Hackerazzi
Gucci

Increase in targeted attacks and Advanced Persistent Threats

30
Advanced Persistent Threats (APT)
Advanced, persistent, and a threat
This is not your script kiddies attack
It is not you typical blended/combined attack
What is your risk?
Are you really vulnerable?
Is it a real threat?
What is the real impact?
Black Swan?
APTs will become more common, continue to evolve,
increase in sophistication, automation and availability

Complex and sophisticated
31
Stuxnet
Discovered in September 2010
The complexity of the software is very unusual for malware, and consists of
attacks against three different systems:
- The Windows operating system,
- An industrial software application that runs on Windows
- A Siemens programmable logic controller (PLC) & SCADA networks
Similar Advanced Persistent Threats similar to Stuxnet have now been
discovered :
- DUQU
Uses :
Nuclear plants
Utilities
Manufacturing sites

32
Stuxnet: Advanced Persistent Threats
Stuxnet is deliberately designed to spread to non-networked
computers in order to eventually infect Step 7 project files.
These files are used to program the PLC, which controls
critical industrial processes. This diagram is an example of
Stuxnet propagation in an industrial control facility.
33
Stuxnet C&C
The malware communicates to the C&C server through http. A list of
URLs is included in the Stuxnet configuration data of Stuxnet:
- www.windowsupdate.com;
- www.msn.com;
- www.mypremierfutbol.com;
- www.todaysfutbol.com
The first two URLs are used to check that the system has connection to
the Internet, while the third and the fourth are URLs of C&C servers.
34
Stuxnet geographical distribution
35
Stuxnet : some initial conclusions
Highly sophisticated blended attack
- Intelligence
- Complex propagation mechanism
- Identification mechanisms
- Multiple platforms
Highly specific
- Industrial networks used for industrial espionage
- Precisely identifies the systems it infects through a finger-printing process
Highly targeted
- Geographically
- Politically ?
36
Hactivists/Activists
A community and social problem
Rely on intimidation, not snitching, anonymity
Motivated by political, social and religious agendas
socially motivated, the Slashdot effect
Technical aspects well understood:
- LOIC: Low Orbit Ion Cannon
- TCP, UDP, HTML packet flooding
- Doesnt include anonymization
The most common DoS is the self-inflicted/human error

37
Anonymous & affiliates
38
Sony breach
May 2011
77 Million PlayStation users affected
24.5 Million Sony Online entertainment customers affected
Hack consisted of a single SQL injection, hacking a database with
passwords stored in text format !
Motivation : discredit Sony
Attacker : LulzSec
39
Lockheed-Martin
RSA attacked in March 2011 Phishing e-mails to RSA employees.
Excel attachment exploited a backdoor in Adobe Flash, used to gain
control of servers in RSA network.
Attackers gained access to database of Token ID mappings to token
seeds.
Attackers used Remote VPN access to then break into Lockheed-
Martin Network.
Lockheed-Martin detected the attack and shut down the remote
access servers to block attack.

2-stage attack, involving RSA Security breach
40
Gendarmerie Nationale Franaise
December 2011
Malware from video streaming websites downloaded from advert link
Exploited Java vulnerability
Installed a Trojan
Informed the user of illegal use of his computer / Internet access
Blocked the computer until a fine had been paid
Social engineering attack
41
Agenda
Tomorrows world
How do we respond ?
Bill Gates
We always overestimate the change that will
occur in the next two years and underestimate
the change that will occur in the next ten

43
Trend
44
Trends
45
Market trends
Trend # 1 : BYOD
47
Consumerization of unmanaged Devices
More types of new devices
being added to networks
Diversity of OSs and Apps
New network entrance and
exit points
More data in more places to
be protected
software glitches that need to be fixedare part of the 'new reality'
of making complex cell phones in large volumes.
Jim Balsillie, RIM CEO
48
BYOD : smartphones & tablets
49
Difficult to control and secure (1/3 of
all workers are out of the office)
Malware (Web: #1 attack vector)
Vulnerability to the organization
Data loss from lost or stolen devices
Access control breach
Policy compliance challenges
THREATS
BYOD Security Risks
Employee-owned Mobile Devices Are Riskiest
BYOD
*
is Riskiest
Source: 2011 ISACA IT Risk/Reward Barometer, US Edition (www.isaca.org/risk-reward-barometer)
50
Network Eng:
How do I troubleshoot
access problems?
How do I separate
device issues from network
and policy issues?
How do I ensure user
experience?
Applications Team:
How do I ensure consistent App experiences on
all devices?
How do we troubleshoot App vs. Network vs. Device
problems?
How do we ensure Application interoperability?

Security Ops:
How do I protect my network
and data assets from
unauthorized access, malware,
attacks, DLP, device
loss/theft, etc.?
How do I implement multiple
security policies
per user, device, etc.?
Compliance Ops:
How do I ensure corporate
compliance (SOX, HIPAA,
etc.)?
Network Ops:
What devices are on my
networks?
Which users are using
what devices?
What apps are being
accessed?
What are the real-time app
performance metrics?
But, Is IT Ready for the BYOD Flood?

Endpoint Team:
How and what do I support?
How do I handle asset
management?

Trend #2 : Cloud
52
The Cloud
Definition: A style of computing where scalable and elastic IT capabilities
are provided as a service to multiple customers using Internet
technologies
Cloud Service Models:
Infrastructure as a Service (laaS) Physical hardware
Platform as a Service (PaaS) IaaS, OS, and Applications
Software as a Service (SaaS) Software Applications
Deployment Models:
Public Cloud Shared cloud infrastructure
Private Cloud Exclusive cloud infrastruture
Community Cloud Private cloud shared
Hybrid Cloud Combination of cloud models
53
The Cloud
Regulatory requirements
HIPAA, PCI, SOX, etc
Location and governing jurisdiction
Outsourcing issues apply
Confidentiality/Integrity/Availability
Understand risks and have a BC/DR plan

Data Issues Abound
54
Source: http://blogs.zdnet.com/Hinchcliffe
Pros & Cons
Public Private Hybrid Community
Deployment Models
Service Delivery Models
Software as a
Service (SaaS)
Platform as a
Service (PaaS)
Infrastucture
as a Service
(IaaS)
Essential Characteristics
On-
Demand
Self Service
Broad Network
Access
Resource
Pooling
Rapid Elasticity
Measured
Service
Visual Model of NISTs
Working Definition
of Cloud Computing
http://www.csrc.nist.gov/groups/SNS/cloud-computing/index.html
C ommon implies multi-tenancy

L ocation-independent
O nline
U tility implies pay-for-use pricing
D emand implies ~infinite,
~immediate, ~invisible scalability
55
Cloud Security Services
Internet
Email
Web
Secure Mobility
56
Securing Cloud Access
Public
Cloud
Chris Hoff
57
Security Cloud Infrastructure
Private
Cloud
Virtualized
App Servers
Securing Cloud Access
Chris Hoff
58

Governing in the Cloud
Governance & Enterprise
Risk Management
Legal & eDiscovery
Compliance and Audit
Data Life Cycle Management
Portability & Interoperability

Operating in the Cloud
Traditional Security
Data Center Operations
Incident Response
Virtualization
Identity & Access Management
Application Security
Encryption & Key
Management
CSA: Security Guidance for Critical Areas of
Focus in Cloud Computing
Cloud Computing Architectural Framework
59
Cloud Risk Domains
IaaS
SaaS
PaaS
!
Information Security
!
Control &
Compliance
!
Availability &
Performance
!
IT & Business
Readiness
1. Data Security Ownership
2. Identity Access Control
3. Insider Abuse & Privilege
4. Internet Threats
7. Availability
8. Monitoring
5. Compliance
6. Service Location
60
Cloud Requires Trust!

61
Cloud Security Alliance
Trend #3 : Desktop Virtualization
63
Computing Architecture Choices
Where is computation happening?
A
p
p
l
i
c
a
t
i
o
n

O
S

D
e
s
k
t
o
p

Virtual Desktop Streaming Hosted Virtual Desktop
Application Streaming Hosted Virtual Application
Client-Based Computing Server-Based Computing
Synchronized
Desktop
Apps
WinXP
Display
Protocol
WinXP
Display
Protocol
64
Need for Security in VDI
Enterprises expect security policy compliance. Compliance is typically
achieved by using technologies such as 802 1.x based machine and
user authentication, IPSec/SSL VPNs, certificate based authentication
Moving to desktop virtualization creates an access layer in the data
center that needs to be secured similar to the Campus access
To enable BYOD in highly flexible hybrid deployments, versatile
remote access solutions are required
Antivirus solutions for VDI environment are required without impacting
TCO
Deep Packet Inspection in Data Center
65
Agenda
Tomorrows world
How do we respond ?
66
Security is a system
Policy
- Business-level
Processes
- Normal behavior
Monitoring & Reporting
Signature & Software updates
- Abnormal behavior
Attack handling
Post-attack analysis
Products
- Integration / systematic
People
- Awareness & Education
67
Things You Can Do - Corp

Stick to the Basics: Defense in
Depth, Risk Management, Incident
Response, Logging/Monitoring
Establish policy, procedures and
processes and enforce them
Use the existing technology to its full
capabilities
Protect in both direction: inbound
and outbound
Educate your users and staff
Stay focused

68
Cyber Security Strategy
Strategy, Policy and Procedures
Security Architecture
Risk Management
Holistic Approach
(Your) Best Practices
Incident Response
Awareness and Training
Business Continuity\
Disaster Recovery

Top Down or Bottom Up?
Goes both ways
69
Things You Can Do - Users
Secure the browsers:
www.us-cert.gov/reading_room/
securing_browser/
Manage Passwords with Available Tools
Secure Your Mobile Devices and Users
Establish Social Network Privacy Settings
Avoid Free and Public Wi-Fi Connections

70
2012 actions for Enterprise Security
1. Assess the totality of your network
2. Re-evaluate your acceptable use policy and business code of conduct
3. Determine what data / assets must be protected
4. Know where your data is and understand how (if?) it is secured
5. Assess user education practices
6. Use egress monitoring
7. Prepare for BYOD, Cloud & Virtualization
8. Create an incident response plan
9. Implement security measures to compensate for lack of control over social
networks
10. Monitor the dynamic risk landscape
71
Related sessions
BRKSEC-2009 Securing Cloud Computing
BRKSEC-2102 Securing Virtual Desktop Infrastructures
BRKSEC-2103 Understanding federated identity
BRKSEC-2345 Critical infrastructure protection
BRKSEC-2253 Mapping Cisco Security solutions to ISO 27001

BRKSEC- 2001
Recommended Reading
73
Please complete your Session Survey
Don't forget to complete your online session evaluations after each session.
Complete 4 session evaluations & the Overall Conference Evaluation
(available from Thursday) to receive your Cisco Live T-shirt

Surveys can be found on the Attendee Website at www.ciscolivelondon.com/onsite
which can also be accessed through the screens at the Communication Stations

Or use the Cisco Live Mobile App to complete the
surveys from your phone, download the app at
www.ciscolivelondon.com/connect/mobile/app.html

We value your feedback
http://m.cisco.com/mat/cleu12/
1. Scan the QR code
(Go to http://tinyurl.com/qrmelist for QR code reader
software, alternatively type in the access URL above)
2. Download the app or access the mobile site
3. Log in to complete and submit the evaluations

74
75
Thank you.

Brksec 2001

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Brksec 2001

Încărcat de

Drepturi de autor:

Formate disponibile

BRKSEC-2001

Emerging & Evolving Threats

S-ar putea să vă placă și