© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1 1 1 © 2011 Cisco and/or its affiliates. All rights reserved. Emerging Threats:

  • View
    221

  • Download
    1

Embed Size (px)

Citation preview

  • Slide 1
  • 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1 1 1 2011 Cisco and/or its affiliates. All rights reserved. Emerging Threats: Cisco Security Intelligence Operations Jeff Shipley Cisco Security Research and Operations
  • Slide 2
  • Cisco Public 2 2011 Cisco and/or its affiliates. All rights reserved. Cisco Security Intelligence Operations Cyber Risk Highlights and Emerging Threats for 2010-2011 Recommendations
  • Slide 3
  • Who Are We, What Do We Know, and How Do We Know?
  • Slide 4
  • Cisco Security Intelligence Operations including: Global Threat Operations Centers IntelliShield Threat and Vulnerability Analysis Managed Services and IPS SensorBase and SenderBase Analysts Corporate Security Programs Office, Global Policy & Government Affairs Global in scope Encompasses network, content, physical & geopolitical security
  • Slide 5
  • Cisco Public 5 2011 Cisco and/or its affiliates. All rights reserved. Cisco Security Intelligence Operations Incident Response Groups CERTs SANS BugTraq Full Disclosure OSVDB Cisco TOCs Cisco Applied Intelligence Cisco PSIRT Cisco IPS NIST External Security Research Cisco RMS Cisco CSPO Cisco IronPort Internal Security Operations Internal Security Research ISACs Researchers FIRST Cisco ScanSafe Physical
  • Slide 6
  • What We Watch: Seven Categories of Cyber Risk 1.Cyber Vulnerabilities and Threat 2.Physical 3.Legal 4.Trust 5.Identity 6.Human 7.Geopolitical Risk = Vulnerability x Threat x Impact
  • Slide 7
  • What and Where are the Current Threats?
  • Slide 8
  • Our Top Ten Botnets (Toolkits) Web Exploits: SQL Injection / Cross-site Scripting Data and Intellectual Property Theft Malicious Business Documents (PDF, Office) Social Networks / Web 2.0 Cloud and Virtualization Implied and Transient Trust (Social networks, Web) Open Wireless Networks Denial of Service Attacks (DoS / DDoS) IPv6/DNSSEC Deployments
  • Slide 9
  • Cybercrime Industry
  • Slide 10
  • 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 DevelopersMiddle Men Second Stage Abusers Bot-Net Management: For Rent, for Lease, for Sale Bot-Net Creation Personal Information Electronic IP Leakage $$$ Flow of Money $$$ Worms Spyware Tool and Toolkit Writers Viruses Trojans Malware Writers First Stage Abusers Machine Harvesting Information Harvesting Hacker / Direct Attack Internal Theft: Abuse of Privilege Information Brokerage Spammers/ Affiliates Phishers Extortionist/ DDoS-for- Hire Pharmer/DNS Poisoning Identity Theft Compromised Host and Application End Value Financial Fraud Commercial Sales Fraudulent Sales Click-Through Revenue Espionage (Corporate/ Government) Fame Extorted Pay-Offs Theft
  • Slide 11
  • 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 11 Time Public Awareness ILOVEYOU 20002011 CODE RED SLAMMER MY DOOM STORM ZeuS Rustock.C Conficker Koobface Stuxnet SpyEye
  • Slide 12
  • 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
  • Slide 13
  • 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 Malware UP 272% SQL Attacks UP 350% DoS Attacks UP 43% Phishing UP ~30% Spam DOWN 20%
  • Slide 14
  • Cisco Public 14 2011 Cisco and/or its affiliates. All rights reserved. Business and network expansion Risk to Privacy, Identity, Trust, IP protection Small World Relationships The criminals are already there: Koobface, false security warnings, tinyurls, transient trust, anonymized data reconstruction, compromised accounts, Like jacking Policy and User Awareness: users are there, organizations are still trying to catch up Who is the customer? (Schneier)
  • Slide 15
  • 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 15 The fake Robin Sage Twitter account was intended to attract highly placed officials within government and security. Apps are the criminals eyes
  • Slide 16
  • 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 16 Traditional phishing still in use, but limited Spear-phishing: - Targeted phishing - IT Admins - Specific job roles - Specific companies Whaling - Phishing attempts specifically targeting a high value target - C level execs
  • Slide 17
  • 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 Mobile Devices: Symbian attacks had limited success, smart phone attacks are more about exploiting the apps and users, havent targeted OS vulnerabilities yet, limited malware development (Zitmo ZeuS in the Mobile) VoIP Abuse: Brute force attacks on public PBX, intercepts and mailboxes, vishing*, network access point to jump VLANs, insider fraud. DDoS of VoIP services. *vishing: social engineering using voice call phishing, usually for financial gain, or sensitive information.
  • Slide 18
  • 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 Scammers trick social network users into liking an intriguing Facebook page, allowing the scammers to see user profiles.
  • Slide 19
  • 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 App Stores and Download Security Models Apple tightly controlled RIM tightly controlled Microsoft - proprietary controlled Android Wide open, few checks, open operating system Third Party sites: no guarantees
  • Slide 20
  • 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 Advance Fee Fraud: Nigerian 419, Black Moneyany and every scam involving the advancing of real money for promised returns Pharma Spam: Very popular with spam Botnets; purchasing drugs at very low cost, illegal in host country, snake oil Spyware/Scareware: You are infected, but we can fix it. Fake AV was the 2009 and 2010 Top Money Maker for criminals Click Redirect Fraud: ( and Like jacking) Web forms, account information, credit cards, personal information
  • Slide 21
  • 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 21 Web Exploits: iFrame injection, compromised advertisement feeds, javascript, Search Engine Optimization, toolkits making it easier to hide Data Theft Trojans: Zeus/SpyEye is still the king, and improving toolkits. Code exposure will likely spur even more activity Money Laundering : The criminals weakest point, actively changing methods, cashing out
  • Slide 22
  • 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 22 Web malware encountered tripled in first half of 2011 Web searches resulted in 9% of Web malware encounters, with an average of 33% resulting from Google search engine results pages Toolkits making it easier: Blackhole, Neosploit, Phoenix and Random JS
  • Slide 23
  • 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 23 Despite takedown and vacations, top Botnets reinvent, reshape, and retool. Shifting Botnet Activity: In 2010, the Top 10 largest botnets accounted for approximately 47% of all botnet compromised victims down from 81% of the 2009 Top 10. Smaller and more numerous in 2011 (Top 20, 50?) Damballa: Eight out of the Top 10 botnet operators utilized popular off-the-shelf construction kits. Only TDL/TDSS Gang and Eleonore Downloader Gang are not known to be using DIY kits.
  • Slide 24
  • Vulnerability Trends
  • Slide 25
  • 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 25 The Apple Example: managing open source software Few exploits are currently being created for Apple specific platforms, but exploits are for open source vulnerabilities. This is a totally hidden area of vulnerability for most organizations Vendor Security Improving: SDLC, researchers and vendors coordination, responsible and coordinated disclosure
  • Slide 26
  • 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 26 In 2010, Java exploits rose while PDF exploits fell.
  • Slide 27
  • 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
  • Slide 28
  • 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 28 72.5 million people in the U.S. used mobile devices (+15% Q\Q) Top Smartphone Platforms Ending MAR 2011: DEC 2010 MAR 2011 CHG Google 28.7% 34.7% +6.0 RIM 31.6% 27.1% -4.5 Apple 25.0% 25.5% +0.5 Microsoft 8.4% 7.5% -0.9 Palm 3.7% 2.8% -0.9 What are they doing? DEC 2010 MAR 2011 CHG Sent text message to another phone 68.0% 68.6% +0.6 Used browser 36.4% 38.6% +2.2 Played games 23.2% 25.7% +2.5 Used Downloaded Apps 34.4% 37.3% +2.9 Accessed Social Networking Site or Blog 24.7% 27.3% +2.9 Listened to music on mobile phone 15.7% 17.9% +2.2 Source - comScore Reports March 2011
  • Slide 29
  • 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 29 1. Sex Appeal its still the best seller 2. Greed- too good to be true? 3. Vanity- you are special right? 4. Trust Implied or transient 5. Sloth dont check, its probably okay 6.Compassion pleasedonations, lost, need help, any emergency, disaster. 7. Urgency must act now, time is running out
  • Slide 30
  • 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 30 The problem of weak, guessable passwords is not a new one, but it isnt going awayin fact, its getting worse due to reuse Secondary Authentication has its own weaknesses; and could open the user to get phished (email account as authentication factor, secret questions?) Too many passwords, and using the same password on multiple web sites Multi-Factor authentication using device or location, SMS one-time passwordsimproving but heavily depends on implementation controls
  • Slide 31
  • 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 31 Implied Trust: An individual, business or organizations that users are familiar with and implicitly trust: Email security updates form major vendors, their banks, government agencies, FedEx/UPS/DHL Transient Trust: The six degrees of separation/Small World Experiment, chain of trust, friend of a friend, of a friendinherently flawed trust model used on social networks
  • Slide 32
  • 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 32 Advanced, persistent, and a threat - This is not your script kiddies attack - It is not you typical blended/combined attack What is your risk? - Are you really vulnerable? - Is it a real threat? - What is the real impact? Throw Black Swan in there too? APTs will become more common, continue to evolve, increase in sophistication, automation and availability
  • Slide 33
  • 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 33 Sourced from Botnets and attack tools think DDoS as a Service (DDaaS) Diverse targets disrupting service to millions of customers Cloud computing provider Web hosting provider Security provider DNS registrar Telecom provider Targeting DNS to amplify attacks Not extortion attempts LOIC tool Anonymous/LulzSec
  • Slide 34
  • Threats on the Horizon
  • Slide 35
  • 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 35 More types of new devices being added to networks Diversity of OSs and Apps New network entry and exit points More data in more places software glitches that need to be fixedare part of the 'new reality' of making complex cell phones in large volumes. Jim Balsillie, Co-CEO Research In Motion RIM CEO
  • Slide 36
  • 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 36 Corporate network has expanded and is key platform for growth Also more permeable: Remote access Web-based tools Mobile devices Essential to todays workforce Dont be King Canute (Knud), you cant stop the rising tide Enable or Limit?
  • Slide 37
  • 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 37 Borderless networking is real and now, but True federated security systems are a ways off yet Layers of defense and policy enforcement are critical Drop bad traffic as close to the source as possible, but ensure youve got at least a couple of last lines of defense Identity Based Networking can help People and Processes Key to Mitigate Risk User awareness and effective business processes are as important as technology solutions
  • Slide 38
  • What to Do?
  • Slide 39
  • Cisco Public 39 2011 Cisco and/or its affiliates. All rights reserved. Stick to the Basics: Defense in Depth, Risk Management, Incident Response, Logging/Monitoring Establish policy, procedures and processes and enforce them with active controls Use your existing technology to its full capabilities Protect in both direction: inbound and outbound Educate your users and staff Stay focused: Dont be distracted by the threat du jour
  • Slide 40
  • 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 40 Strategy, Policy and Procedures Security Architecture Risk Management Holistic Approach (Your) Best Practices Continuous Monitoring Incident Response Awareness and Training Business Continuity\ Disaster Recovery
  • Slide 41
  • 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 41 41 Data Systems Assets Administrative Human/Policy Technical Application/Service Technical System/Platform Technical Network/Logical Physical & Environment
  • Slide 42
  • 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 42 IDS/IPS AV/Anti- Malware/Anti- Spyware System Logs Application logs Patch Status Vulnerability Scans DNS logging Configuration/Change Management system alerts Failed Logins for privileged accounts Physical security logs for access to restricted areas Data Loss Prevention data Remote Access logs Network device logs Account monitoring Locked out Disabled Terminated personnel Transferred personnel Dormant accounts Passwords that have reached the maximum password age Passwords that never expire Outbound traffic to include large transfers of data, unencrypted or encrypted. Port scans Network access control lists and firewall rule sets
  • Slide 43
  • Cisco Public 43 2011 Cisco and/or its affiliates. All rights reserved. Secure the browsers: www.us-cert.gov/reading_room/ securing_browser/ www.us-cert.gov/reading_room/ Manage Passwords Use the Available Tools Manage Your Mobile Devices and Users Password, Encryption, Remote Mgmt Establish Social Network Privacy Settings Avoid Free and Public Wi-Fi Connections
  • Slide 44
  • Thank You visit us for more at www.cisco.com/security