Chin Symantec Keynote 6014
-
Upload
christsonic23 -
Category
Documents
-
view
234 -
download
0
Transcript of Chin Symantec Keynote 6014
-
8/6/2019 Chin Symantec Keynote 6014
1/30
Anatomy Of A Data Breach:Exploring The Current Threat Landscape
Larry Chin: Sr. Security Architect
CISA, CISSP, PCI-QSA
Moderator:Angela Moscaritolo, senior reporter, SC
Magazine
-
8/6/2019 Chin Symantec Keynote 6014
2/30
Threat Landscape: 2010 Trends
2
Social Networking+ social engineering =compromise
Attack Kits
get a caffeine boost
Targeted Attacks
continued to evolve
Hide and Seek
(zero-day vulnerabilities androotkits)
Mobile Threats
increase
-
8/6/2019 Chin Symantec Keynote 6014
3/30
-
8/6/2019 Chin Symantec Keynote 6014
4/30
The Threats Behind The Numbers
Data Breaches
RSA Lockheed Martin SonyHonda Northrop Grumman Epsilon
Data Breaches
RSA Lockheed Martin SonyHonda Northrop Grumman Epsilon
February 2011
Tatanarg/TatangaTrojan/rootkit/MITM, fraudulent
banking transactions viabrowser
OddjobTrojan infostealer
Night DragonSQL injection and other vectorsfor information theft
February 2011
Tatanarg/TatangaTrojan/rootkit/MITM, fraudulent
banking transactions viabrowser
OddjobTrojan infostealer
Night DragonSQL injection and other vectorsfor information theft
April 2011
QakbotInternet Explorer or Quicktimevulnerability
Rootkit, information theft
LizamoonSQL Injection to propagateFakeAV Ransomware
April 2011
QakbotInternet Explorer or Quicktimevulnerability
Rootkit, information theft
LizamoonSQL Injection to propagateFakeAV Ransomware
-
8/6/2019 Chin Symantec Keynote 6014
5/30
The Escalating Threat Landscape
In 2003 we released an average of 5
definitions a day. 2007 - 1431 daily.
Over the second half of 2007there was a 524% increase in thenumber of threats
More detections were created in2008, than in all the other yearscombined 7500 per day
In 2009 we started releasing up to12,000 new signatures a day
Today, over 25,000 per day
In 2010 there were over10 million signatures writtento catch 286 million threatsand stop over3.1B attacks
-
8/6/2019 Chin Symantec Keynote 6014
6/30
These usually consist of an PDF or Office document with a
built-in vulnerability, that drops a back door attack.
Targeted Email attacks are much more publicized these days
Example: RSA Attack
Email to HR staff with subject: 2011 Recruitment Plan
Excel document titled: 2011 Recruitment plan.xls
The document had a 0day Adobe vulnerability embedded
in it.
The vulnerability downloaded a custom backdoor from the
Poison Ivy family
Infection Vectors:Email Phishing Targeted attack
-
8/6/2019 Chin Symantec Keynote 6014
7/30
Infection Vectors:Malicious Websites and Toolkits
-
8/6/2019 Chin Symantec Keynote 6014
8/30
Advanced Persistent Threats
-
8/6/2019 Chin Symantec Keynote 6014
9/30
What is an Advanced Persistent Threat?
An Advanced Persistent Threat (APT) is a sophisticated andwell-planned network attack focused against a targetedorganization.
APTs are usually well-funded and use state of the art, oftencustomized, tools that help the attackers avoid detection by theusual methods.
In addition to funding and customized tools, APT attacks aredistinguished by their level of perseverance and the patienceneeded on the part of the attacker to be successful.
While most APTs are focused on the government, financial andmanufacturing sectors any organization can be a target.
-
8/6/2019 Chin Symantec Keynote 6014
10/30
APT: Targeted Attacks Continue To Evolve
High profile attacks in 2010 raised awareness of impact
of APTs
Stuxnet was incredibly sophisticated
Fourzero-day vulnerabilities
Stolen digital signatures Ability to leap the air gap with USB key
Potential damage to infrastructure
-
8/6/2019 Chin Symantec Keynote 6014
11/30
Less sophisticated attacks also cause significant damage
Average cost of U.S. data breach in 2010: $7.2 million
Average cost of CAN data breach in 2010: $1.9 million
Average # of Identities Exposed per Data Breach by Cause
Sophistication Degree Of Damage
-
8/6/2019 Chin Symantec Keynote 6014
12/30
Typical Attack Scenario - Noisy
Traditional Hacker Attack In a typical attack scenario the attacker
goes for the low hanging fruit.
An attacker will either scan for vulnerablehosts, set up a malicious website or sendout hundreds of thousands even millions ofphishing emails.
Because of the large number of attemptsthey are bound to find unpatched systems,exploit those systems and extract data fromthose exploited systems.
The large scale of these types of attacksalso means that it is easy to spot them andprevent them from infecting your network.
-
8/6/2019 Chin Symantec Keynote 6014
13/30
APT Attack Low And Slow
An APT Attack
Cost of the attack: < $5000
An APT attack takes a different
approach because it is starting from adifferent perspective: with a targetalready in place.
In the case of an APT, the attackerstarts by finding out as muchinformation as possible about the target
and storyboarding that information.
Information can come from theorganizations website, Googlesearches, social media sites andvarious business research tools.
In this case, the attacker is looking forweaknesses in the organization itself,as opposed to typical softwarevulnerabilities.
-
8/6/2019 Chin Symantec Keynote 6014
14/30
-
8/6/2019 Chin Symantec Keynote 6014
15/30
Stopping An APT Attack
Stopping APT attacks is almostimpossible because they relyon a combination of software and human weakness.
The best hope is to contain the attack and work to ensurethat no data is leaked.
Because of the sophistication of these attacks traditional,signature-based detection, does not usually work.
Instead, detecting an APT attack requires anomaly detection,pattern extraction from those anomalies and the ability toblock the attack, or information egress.
-
8/6/2019 Chin Symantec Keynote 6014
16/30
Food For Thought
Mobile & Social Media
-
8/6/2019 Chin Symantec Keynote 6014
17/30
Mobility Challenges
Endpoint
Heterogeneity
Multiple mobile
platforms with widely
varying and everchanging capabilities
and form factors; IT
cannot have in-depth
details about all
platforms
Point solutions make it
difficult to enforce an
overall corporate policy
Mobile
Consumerization
Corporate data on
personal devices raises
security, liability andmanageability issues
How to allow these
large number of devices
to securely connect to
the enterprise?
ApplicationManagement
&Enterprise Integration
Mobile apps need to
connect to enterprise
backends and vice-
versa; what is the
framework to allow this
communication?
Enterprise IT has
existing investments.
How can they be
leveraged for mobility?
-
8/6/2019 Chin Symantec Keynote 6014
18/30
Mobile Data Loss
2008 Ponemon/DellStudy:
12,000 laptops lost inairports each week
2011: ?
-
8/6/2019 Chin Symantec Keynote 6014
19/30
Mobile Threats
Most malware for mobiles are Trojans posing as legitimate
apps
Mobiles will be targeted more when used forfinancial transactions
163vulnerabilities
2010
115vulnerabilities
2009
2011: already > 150vulnerabilities targetingmobile platforms!
-
8/6/2019 Chin Symantec Keynote 6014
20/30
Mobile Threats - Android
Eight Versions in 2.5 years
Currently being used on 310 different devices Activated on 100 million phones in 2011
425,000 apps available by Fall 2011
Google does not test or pre-vet these
Open Source means its easy for cyber criminals to get a quickfinancial hit
$1500 - $4500 for tools required to make much much more schemes that involve premium billing rates, spyware, searchengine poisoning, adware, and pay-per installs.
Thirty Trojanized Apps removed from the Android store Pre-packaged crypters can create fully undectable trojanizedapps
-
8/6/2019 Chin Symantec Keynote 6014
21/30
Social MediaFacebook Statistics as of June 7, 2011
Mobile There are more than 250 million active users currently accessing Facebook through their mobile devices. People that use Facebook on their mobile devices are twice as active on Facebook than non-mobile users. There are more than 200 mobile operators in 60 countries working to deploy and promote Facebook mobile
products
Platform Entrepreneurs and developers from more than 190 countries build with the Facebook Platform People on Facebook install 20 million applications every day Every month, more than 250 million people engage with Facebook on external websites
Since social plugins launched in April 2010, an average of 10,000 new websites integrate with Facebookevery day More than 2.5 million websites have integrated with Facebook, including over 80 of comScore's U.S. Top 100
websites and over half of comScore's Global Top 100 websites
People on Facebook More than 600 million active users 50% of our active users log on to Facebook in any given day Average user has 130 friends
People spend over 700 billion minutes per month on Facebook
If Facebook where a country it would be the 3rd largest in the world
-
8/6/2019 Chin Symantec Keynote 6014
22/30
Social Networking + Social Engineering = Compromise
Hackers have adopted social networking
Use profile information to create targeted social engineering Impersonate friends to launch attacks Leverage news feeds to spread spam, scams and massive
attacks
-
8/6/2019 Chin Symantec Keynote 6014
23/30
Canadian Trends in Mobility Adoption and Social Networking
Demand for access to social networking sites and the desire to Bring
your device to work continue to grow
Many organizations are looking at this as an opportunity rather than athreat Research and Development, Marketing, Human resources, Sales, Customer service Innovation, Create brand recognition, Hire and retain employees, Generate revenue, Improve
customer satisfaction.
Social Networking creates instant access to millions of consumers orconstituents
Bring your device to work can: Reduce Training Costs and subsequent Support Increase Employee Productivity in and outside of an organization Used as a strategy to attract Top Talent in the marketplace Accelerate the process of IT transforming itself from a cost center that says no to the
business partner that helps drive new revenue
Enterprises must develop an appropriate strategy and controls to managetheir use of social media and new smart devices
-
8/6/2019 Chin Symantec Keynote 6014
24/30
Introduction of viruses and malware to the organizational network
Exposure to customers and the enterprise through a fraudulent or hijacked corporatepresence
Unclear or undefined content rights to information posted to social media sites
A move to a digital business model may increase customer service expectations.
Mismanagement of electronic communications that may be impacted by retentionregulations or e-discovery
Use of personal accounts to communicate work-related information
Employee posting of pictures or information that link them to the enterprise
Excessive employee use of social media in the workplace
Employee access to social media via enterprise-supplied mobile devices (smartphones,personal digital assistants [PDAs])
There are significant risks to those who adopt this technology without a clear strategythat addresses both the benefits and the risks
Risks Of Social Media In The Enterprise
-
8/6/2019 Chin Symantec Keynote 6014
25/30
Stages Of A Breach
>Incursion
The #1 vector is email, a trend that has accelerated
The web is becoming an increasing vector for malwarecoming into companies.
90% of breaches due to un-patched vulnerabilities
> Discovery
Advanced Persistent Threats
Phishing/Spear Phishing
Compromise of endpoints
> Capture Data Theft
Bundling of information for egress
Survey for egress points ( mail, ftp, dns, web )
> Exfiltration
400,000 military documents posted by Wikileaks
Oct. 2010
Dumpster Dives Turn Up Personal Information TorontoOct. 2010
Copy Machines Spill Identity SecretsOct. 2010
-
8/6/2019 Chin Symantec Keynote 6014
26/30
What Caused The Breach
Poorly ProtectedInfrastructure
SQL Injection
Siloed, Inconsistent Protection, Physical Security
Proactive Threat Information
Lack ofIT Policies 81% Of Targeted Companies Were Not PCI Compliant
67% Of Breaches Are Due To Insider Negligence Or LackOf Knowledge
Poorly ProtectedInformation
Encryption, Particularly On Mobile Devices AndDetachable Storage
Data Loss Prevention
Application And Device Control
Poorly ManagedSystems
Reporting And EnterpriseWide Visibility
Timely Patching Or Mitigating Measures
Policy And Procedure
-
8/6/2019 Chin Symantec Keynote 6014
27/30
Preventing The Breach: A Holistic Security Strategy
Protection (Data / Information / Intellectual Property)
LOGS
W
O
R
K
F
L
O
W
W
O
R
K
F
L
O
W
M
onitoring
Management ( TCO )
Policy, Procedure (Compliance & Audit )
Standards, Legislation,Regulations ( PCI, SOX etc )
Policy / Procedure (Internaland External)
User Awareness
ServerManagement Service & Asset Mgmt. Workstation Management
Log Collection From All Systems Reporting Proactive Measures
LOGS
Workstation Config &Security Servers Config & Security
Web SecurityData Protection & Backup Mail Security
Legal Action & FinancialPenalties
Lack ofStandardization,
operational costsFlawed Operations,Liability, Data Loss
Unplanned outages, dataloss, operational costs
Excessive SW/HWCosts, NoAsset Mgmt., support costs
TCO, LOE, & support cost.levels of control and security
Endpoint CompromiseEnterprise Compromise Web Borne
Threats Confidential Info Loss Spam,Phising,Trojansetc.
No Log Aggregation, &Correlation for Reporting
No Operational Visibility No Ability to MitigateImpact of New Threats
-
8/6/2019 Chin Symantec Keynote 6014
28/30
The Consequences
Protection (Data / Information / Intellectual Property)
LOGS
M
onitoring
Management ( TCO )
Policy, Procedure (Compliance & Audit )
Standards, Legislation,Regulations ( PCI, SOX etc )
Policy / Procedure (Internaland External)
User Awareness
ServerManagement Service & Asset Mgmt. Workstation Management
Log Collection From All Systems Reporting Proactive Measures
LOGS
Workstation Config &Security Servers Config & Security
Web SecurityData Protection & Backup Mail Security
Legal Action & FinancialPenalties
Lack ofStandardization,
operational costsFlawed Operations,Liability, Data Loss
Unplanned outages, dataloss, operational costs
Excessive SW/HWCosts, NoAsset Mgmt., support costs
TCO, LOE, & support cost.levels of control and security
Endpoint CompromiseEnterprise Compromise Web Borne
Threats Confidential Info Loss Spam,Phising,Trojansetc.
No Log Aggregation, &Correlation for Reporting
No Operational Visibility No Ability to MitigateImpact of New Threats
-
8/6/2019 Chin Symantec Keynote 6014
29/30
Eight Questions To Security
Can You Respond To ThreatsProactively ?
Are Your Policies Current AndRelevant ?
Do You Know Where YourSensitiveInformation Resides?
Is Your
Infrastructure
ManagementAs Cost Effective As Possible ?
Can You Enforce IT Policies AndRemediate Deficiencies ?
Do You Know Who Is Using YourInformation
Can You Easily Manage TheLifecycle Of YourIT Assets?
Do YouH
ave Visibility Across TheEnterprise ?
-
8/6/2019 Chin Symantec Keynote 6014
30/30
Thank You
Larry Chin