2011 Cisco and/or its affiliates. All rights reserved. Cisco
Public 1 1 1 2011 Cisco and/or its affiliates. All rights reserved.
Emerging Threats: Cisco Security Intelligence Operations Jeff
Shipley Cisco Security Research and Operations
Slide 2
Cisco Public 2 2011 Cisco and/or its affiliates. All rights
reserved. Cisco Security Intelligence Operations Cyber Risk
Highlights and Emerging Threats for 2010-2011 Recommendations
Slide 3
Who Are We, What Do We Know, and How Do We Know?
Slide 4
Cisco Security Intelligence Operations including: Global Threat
Operations Centers IntelliShield Threat and Vulnerability Analysis
Managed Services and IPS SensorBase and SenderBase Analysts
Corporate Security Programs Office, Global Policy & Government
Affairs Global in scope Encompasses network, content, physical
& geopolitical security
Slide 5
Cisco Public 5 2011 Cisco and/or its affiliates. All rights
reserved. Cisco Security Intelligence Operations Incident Response
Groups CERTs SANS BugTraq Full Disclosure OSVDB Cisco TOCs Cisco
Applied Intelligence Cisco PSIRT Cisco IPS NIST External Security
Research Cisco RMS Cisco CSPO Cisco IronPort Internal Security
Operations Internal Security Research ISACs Researchers FIRST Cisco
ScanSafe Physical
Slide 6
What We Watch: Seven Categories of Cyber Risk 1.Cyber
Vulnerabilities and Threat 2.Physical 3.Legal 4.Trust 5.Identity
6.Human 7.Geopolitical Risk = Vulnerability x Threat x Impact
Slide 7
What and Where are the Current Threats?
Slide 8
Our Top Ten Botnets (Toolkits) Web Exploits: SQL Injection /
Cross-site Scripting Data and Intellectual Property Theft Malicious
Business Documents (PDF, Office) Social Networks / Web 2.0 Cloud
and Virtualization Implied and Transient Trust (Social networks,
Web) Open Wireless Networks Denial of Service Attacks (DoS / DDoS)
IPv6/DNSSEC Deployments
Slide 9
Cybercrime Industry
Slide 10
2011 Cisco and/or its affiliates. All rights reserved. Cisco
Public 10 DevelopersMiddle Men Second Stage Abusers Bot-Net
Management: For Rent, for Lease, for Sale Bot-Net Creation Personal
Information Electronic IP Leakage $$$ Flow of Money $$$ Worms
Spyware Tool and Toolkit Writers Viruses Trojans Malware Writers
First Stage Abusers Machine Harvesting Information Harvesting
Hacker / Direct Attack Internal Theft: Abuse of Privilege
Information Brokerage Spammers/ Affiliates Phishers Extortionist/
DDoS-for- Hire Pharmer/DNS Poisoning Identity Theft Compromised
Host and Application End Value Financial Fraud Commercial Sales
Fraudulent Sales Click-Through Revenue Espionage (Corporate/
Government) Fame Extorted Pay-Offs Theft
Slide 11
2011 Cisco and/or its affiliates. All rights reserved. Cisco
Public 11 Time Public Awareness ILOVEYOU 20002011 CODE RED SLAMMER
MY DOOM STORM ZeuS Rustock.C Conficker Koobface Stuxnet SpyEye
Slide 12
2011 Cisco and/or its affiliates. All rights reserved. Cisco
Public 12
Slide 13
2011 Cisco and/or its affiliates. All rights reserved. Cisco
Public 13 Malware UP 272% SQL Attacks UP 350% DoS Attacks UP 43%
Phishing UP ~30% Spam DOWN 20%
Slide 14
Cisco Public 14 2011 Cisco and/or its affiliates. All rights
reserved. Business and network expansion Risk to Privacy, Identity,
Trust, IP protection Small World Relationships The criminals are
already there: Koobface, false security warnings, tinyurls,
transient trust, anonymized data reconstruction, compromised
accounts, Like jacking Policy and User Awareness: users are there,
organizations are still trying to catch up Who is the customer?
(Schneier)
Slide 15
2011 Cisco and/or its affiliates. All rights reserved. Cisco
Public 15 The fake Robin Sage Twitter account was intended to
attract highly placed officials within government and security.
Apps are the criminals eyes
Slide 16
2011 Cisco and/or its affiliates. All rights reserved. Cisco
Public 16 Traditional phishing still in use, but limited
Spear-phishing: - Targeted phishing - IT Admins - Specific job
roles - Specific companies Whaling - Phishing attempts specifically
targeting a high value target - C level execs
Slide 17
2011 Cisco and/or its affiliates. All rights reserved. Cisco
Public 17 Mobile Devices: Symbian attacks had limited success,
smart phone attacks are more about exploiting the apps and users,
havent targeted OS vulnerabilities yet, limited malware development
(Zitmo ZeuS in the Mobile) VoIP Abuse: Brute force attacks on
public PBX, intercepts and mailboxes, vishing*, network access
point to jump VLANs, insider fraud. DDoS of VoIP services.
*vishing: social engineering using voice call phishing, usually for
financial gain, or sensitive information.
Slide 18
2011 Cisco and/or its affiliates. All rights reserved. Cisco
Public 18 Scammers trick social network users into liking an
intriguing Facebook page, allowing the scammers to see user
profiles.
Slide 19
2011 Cisco and/or its affiliates. All rights reserved. Cisco
Public 19 App Stores and Download Security Models Apple tightly
controlled RIM tightly controlled Microsoft - proprietary
controlled Android Wide open, few checks, open operating system
Third Party sites: no guarantees
Slide 20
2011 Cisco and/or its affiliates. All rights reserved. Cisco
Public 20 Advance Fee Fraud: Nigerian 419, Black Moneyany and every
scam involving the advancing of real money for promised returns
Pharma Spam: Very popular with spam Botnets; purchasing drugs at
very low cost, illegal in host country, snake oil
Spyware/Scareware: You are infected, but we can fix it. Fake AV was
the 2009 and 2010 Top Money Maker for criminals Click Redirect
Fraud: ( and Like jacking) Web forms, account information, credit
cards, personal information
Slide 21
2011 Cisco and/or its affiliates. All rights reserved. Cisco
Public 21 Web Exploits: iFrame injection, compromised advertisement
feeds, javascript, Search Engine Optimization, toolkits making it
easier to hide Data Theft Trojans: Zeus/SpyEye is still the king,
and improving toolkits. Code exposure will likely spur even more
activity Money Laundering : The criminals weakest point, actively
changing methods, cashing out
Slide 22
2011 Cisco and/or its affiliates. All rights reserved. Cisco
Public 22 Web malware encountered tripled in first half of 2011 Web
searches resulted in 9% of Web malware encounters, with an average
of 33% resulting from Google search engine results pages Toolkits
making it easier: Blackhole, Neosploit, Phoenix and Random JS
Slide 23
2011 Cisco and/or its affiliates. All rights reserved. Cisco
Public 23 Despite takedown and vacations, top Botnets reinvent,
reshape, and retool. Shifting Botnet Activity: In 2010, the Top 10
largest botnets accounted for approximately 47% of all botnet
compromised victims down from 81% of the 2009 Top 10. Smaller and
more numerous in 2011 (Top 20, 50?) Damballa: Eight out of the Top
10 botnet operators utilized popular off-the-shelf construction
kits. Only TDL/TDSS Gang and Eleonore Downloader Gang are not known
to be using DIY kits.
Slide 24
Vulnerability Trends
Slide 25
2011 Cisco and/or its affiliates. All rights reserved. Cisco
Public 25 The Apple Example: managing open source software Few
exploits are currently being created for Apple specific platforms,
but exploits are for open source vulnerabilities. This is a totally
hidden area of vulnerability for most organizations Vendor Security
Improving: SDLC, researchers and vendors coordination, responsible
and coordinated disclosure
Slide 26
2011 Cisco and/or its affiliates. All rights reserved. Cisco
Public 26 In 2010, Java exploits rose while PDF exploits fell.
Slide 27
2011 Cisco and/or its affiliates. All rights reserved. Cisco
Public 27
Slide 28
2011 Cisco and/or its affiliates. All rights reserved. Cisco
Public 28 72.5 million people in the U.S. used mobile devices (+15%
Q\Q) Top Smartphone Platforms Ending MAR 2011: DEC 2010 MAR 2011
CHG Google 28.7% 34.7% +6.0 RIM 31.6% 27.1% -4.5 Apple 25.0% 25.5%
+0.5 Microsoft 8.4% 7.5% -0.9 Palm 3.7% 2.8% -0.9 What are they
doing? DEC 2010 MAR 2011 CHG Sent text message to another phone
68.0% 68.6% +0.6 Used browser 36.4% 38.6% +2.2 Played games 23.2%
25.7% +2.5 Used Downloaded Apps 34.4% 37.3% +2.9 Accessed Social
Networking Site or Blog 24.7% 27.3% +2.9 Listened to music on
mobile phone 15.7% 17.9% +2.2 Source - comScore Reports March
2011
Slide 29
2011 Cisco and/or its affiliates. All rights reserved. Cisco
Public 29 1. Sex Appeal its still the best seller 2. Greed- too
good to be true? 3. Vanity- you are special right? 4. Trust Implied
or transient 5. Sloth dont check, its probably okay 6.Compassion
pleasedonations, lost, need help, any emergency, disaster. 7.
Urgency must act now, time is running out
Slide 30
2011 Cisco and/or its affiliates. All rights reserved. Cisco
Public 30 The problem of weak, guessable passwords is not a new
one, but it isnt going awayin fact, its getting worse due to reuse
Secondary Authentication has its own weaknesses; and could open the
user to get phished (email account as authentication factor, secret
questions?) Too many passwords, and using the same password on
multiple web sites Multi-Factor authentication using device or
location, SMS one-time passwordsimproving but heavily depends on
implementation controls
Slide 31
2011 Cisco and/or its affiliates. All rights reserved. Cisco
Public 31 Implied Trust: An individual, business or organizations
that users are familiar with and implicitly trust: Email security
updates form major vendors, their banks, government agencies,
FedEx/UPS/DHL Transient Trust: The six degrees of separation/Small
World Experiment, chain of trust, friend of a friend, of a
friendinherently flawed trust model used on social networks
Slide 32
2011 Cisco and/or its affiliates. All rights reserved. Cisco
Public 32 Advanced, persistent, and a threat - This is not your
script kiddies attack - It is not you typical blended/combined
attack What is your risk? - Are you really vulnerable? - Is it a
real threat? - What is the real impact? Throw Black Swan in there
too? APTs will become more common, continue to evolve, increase in
sophistication, automation and availability
Slide 33
2011 Cisco and/or its affiliates. All rights reserved. Cisco
Public 33 Sourced from Botnets and attack tools think DDoS as a
Service (DDaaS) Diverse targets disrupting service to millions of
customers Cloud computing provider Web hosting provider Security
provider DNS registrar Telecom provider Targeting DNS to amplify
attacks Not extortion attempts LOIC tool Anonymous/LulzSec
Slide 34
Threats on the Horizon
Slide 35
2011 Cisco and/or its affiliates. All rights reserved. Cisco
Public 35 More types of new devices being added to networks
Diversity of OSs and Apps New network entry and exit points More
data in more places software glitches that need to be fixedare part
of the 'new reality' of making complex cell phones in large
volumes. Jim Balsillie, Co-CEO Research In Motion RIM CEO
Slide 36
2011 Cisco and/or its affiliates. All rights reserved. Cisco
Public 36 Corporate network has expanded and is key platform for
growth Also more permeable: Remote access Web-based tools Mobile
devices Essential to todays workforce Dont be King Canute (Knud),
you cant stop the rising tide Enable or Limit?
Slide 37
2011 Cisco and/or its affiliates. All rights reserved. Cisco
Public 37 Borderless networking is real and now, but True federated
security systems are a ways off yet Layers of defense and policy
enforcement are critical Drop bad traffic as close to the source as
possible, but ensure youve got at least a couple of last lines of
defense Identity Based Networking can help People and Processes Key
to Mitigate Risk User awareness and effective business processes
are as important as technology solutions
Slide 38
What to Do?
Slide 39
Cisco Public 39 2011 Cisco and/or its affiliates. All rights
reserved. Stick to the Basics: Defense in Depth, Risk Management,
Incident Response, Logging/Monitoring Establish policy, procedures
and processes and enforce them with active controls Use your
existing technology to its full capabilities Protect in both
direction: inbound and outbound Educate your users and staff Stay
focused: Dont be distracted by the threat du jour
Slide 40
2011 Cisco and/or its affiliates. All rights reserved. Cisco
Public 40 Strategy, Policy and Procedures Security Architecture
Risk Management Holistic Approach (Your) Best Practices Continuous
Monitoring Incident Response Awareness and Training Business
Continuity\ Disaster Recovery
Slide 41
2011 Cisco and/or its affiliates. All rights reserved. Cisco
Public 41 41 Data Systems Assets Administrative Human/Policy
Technical Application/Service Technical System/Platform Technical
Network/Logical Physical & Environment
Slide 42
2011 Cisco and/or its affiliates. All rights reserved. Cisco
Public 42 IDS/IPS AV/Anti- Malware/Anti- Spyware System Logs
Application logs Patch Status Vulnerability Scans DNS logging
Configuration/Change Management system alerts Failed Logins for
privileged accounts Physical security logs for access to restricted
areas Data Loss Prevention data Remote Access logs Network device
logs Account monitoring Locked out Disabled Terminated personnel
Transferred personnel Dormant accounts Passwords that have reached
the maximum password age Passwords that never expire Outbound
traffic to include large transfers of data, unencrypted or
encrypted. Port scans Network access control lists and firewall
rule sets
Slide 43
Cisco Public 43 2011 Cisco and/or its affiliates. All rights
reserved. Secure the browsers: www.us-cert.gov/reading_room/
securing_browser/ www.us-cert.gov/reading_room/ Manage Passwords
Use the Available Tools Manage Your Mobile Devices and Users
Password, Encryption, Remote Mgmt Establish Social Network Privacy
Settings Avoid Free and Public Wi-Fi Connections
Slide 44
Thank You visit us for more at www.cisco.com/security