DP SECURE 2008 - Dataprep Holdings Bhd · DP SECURE 2008 SCARING YOU SECURE... INSIGHT INTO THE IT SECURITY JUNGLE ... BNM GPIS 1, HIPPA, Graham Leach Bliley …

© 2008 Dataprep Holdings Bhd. All Rights Reserved.

DP SECURE 2008DP SECURE 2008DP SECURE 2008DP SECURE 2008

SCARING YOU SECURE...SCARING YOU SECURE...SCARING YOU SECURE...SCARING YOU SECURE...

INSIGHT INTO THE INSIGHT INTO THE INSIGHT INTO THE INSIGHT INTO THE IT SECURITY JUNGLE IT SECURITY JUNGLE IT SECURITY JUNGLE IT SECURITY JUNGLE

BYBYBYBY

DALBIRDALBIRDALBIRDALBIR SINGH, CISSPSINGH, CISSPSINGH, CISSPSINGH, CISSP+60192109229+60192109229+60192109229+60192109229

[email protected]@[email protected]@DP.IO2IO.COM

Page 2© 2008 Dataprep Holdings Bhd. All Rights Reserved.

AgendaAgenda

�Insight to IT Security

�Threats and Technology

�Anticipated Top 10 Information Security Trends of 2008

�Security Highlight

� Presidential Election – US

� Zero Day Attack

�Conclusion


Why TodayWhy Today’’s Presentation?s Presentation?

� Creating an awareness of the technology risks is a step in helping the user community take necessary precautions

� There is a need to be more PROACTIVE when it comes to technology security

� We need to understand that in many cases, technology alone cannot solve security problems

� Providing users with information that can be used to help make their technology environment more secure is a win-win situation


Key Issues Facing Customers TodayKey Issues Facing Customers Today

These Issues Are

Common

to the Computer

and Network

LayersSecurity

• Threats• Theft• Loss• Response time

Application and Service Optimization

• Enablers• Awareness• App management• Performance/optimization• Resilience

Simplification

• Scale• Cost• Staffing• Integration and systems management


Security Incidents 2007 Security Incidents 2007 –– CSI Computer Crime & CSI Computer Crime &

SecuritySecurity


Dollar Amount Losses by Type of AttackDollar Amount Losses by Type of Attack


Security Technologies UsedSecurity Technologies Used


Techniques Used to Evaluate Effectiveness of Techniques Used to Evaluate Effectiveness of

Security TechnologiesSecurity Technologies


Techniques Used to Evaluate Techniques Used to Evaluate EffectivenesEffectivenes of of

Security Awareness TrainingSecurity Awareness Training


Actions Taken Following an IncidentActions Taken Following an Incident


Reasons for NOT ReportingReasons for NOT Reporting


Key FindingsKey Findings

�The average annual lost reported in this year’s survey shot up to $350,424 from $168,000 the previous year. Not since the 2004 report have average losses been this high.

�Almost one-fifth (18%) of those respondents who suffered one or more kinds of security incident further said they’d suffered a “targeted attack”, defined as malware attack aimed exclusively at their organization.

�Insider abuse of network access or e-mail (such as trafficking in pornography or pirated software) edged out virus incidents as the most prevalent security problem, with 59 and 52 percent of respondents reporting each respectively.

�When asked generally whether they’d suffered a security incident, 46 percent of respondents said yes, down from 53 percent last year and 56 percent the year before.


What is Security?What is Security?

Merriam-Webster’s Collegiate Dictionary

� Main Entry : se cu ri ty

� Pronounciation : si-’kyur-&-tE

� 1. The quality or state of being secure: as

� a: freedom from danger : SAFETY

� b: freedom from fear and anxiety

� c: freedom from the prospect of being laid off

� 2.

� a: Something given, deposited, or pledged to make certain the

fulfillment of an obligation: SURETY

� 3. An evidence of debt or ownership


What is Security?What is Security?

� 4.

� a: something that secures: PROTECTION

� b:

• i: measures taken to guard against espionage or sabotage, crime, attack or escape

• ii: an organization or department whose task is security


Why should you care?Why should you care?

� The bottom line = $$$

� Risk assessment to loss of systems

• What is the $/hr for a end user workstation

• What is the $/day for a server

• What is the $/week, month, year for a critical system

� Worst Case

� Production banner goes down and never comes back



� Liability = Responsibility

� State and federal guidelines for IT data, systems and security

• What would be the legal ramifications if somebody broke in and stole all the client info? Email addresses for spam?

� Worst Case

� System insecurity leads to a leak of confidential information which

results in a very big lawsuit



� Damages prestige of the company

� Bad press directly/indirectly influences:

• Department, staff and clients

• Potential staff and clients

� Causes the company to become a known target

• Weak security = easy target

• Word gets around VERY QUICKLY in hackerdom

� Worst Case

� NST/Star front page article deriding you, your department and

company


The Big FallacyThe Big Fallacy

� “There’s nothing on my computer anybody would want!”a non IT manager

� Would you want everyone/anyone to:

• Look at the web sites you’ve visited?

• Read all your email?

• Write email with your userid?

• Use any credit cards you’ve used online?

• Alter/delete data on your system?

• Hijack your system for further attacks to other systems?


Threats Continue to EvolveThreats Continue to Evolve


So Many New Security TechnologiesSo Many New Security Technologies


Evolution of Security ChallengesEvolution of Security Challenges

GlobalInfrastructure

impact

RegionalNetworks

MultipleNetworks

IndividualNetworks

IndividualComputer

Target and Scope of Damage

1980s 1990s Today Future

Seconds

Minutes

Next Gen

2nd Gen

Days3rd Gen

1st Gen

Weeks

Time from knowledge Time from knowledge of vulnerability to release of vulnerability to release of exploit is shrinkingof exploit is shrinking


Virus and Worm AttacksVirus and Worm Attacks


Instant Macro Virus MakerInstant Macro Virus Maker


Regulatory Compliance and the Regulatory Compliance and the ““IAC TriadIAC Triad””

Regulatory compliance

� BNM GPIS 1, HIPPA, Graham Leach Bliley (GLB), Sarbanes Oxley (SOX), Basel II, EPA

Integrity

� Assures accuracy and reliability of data and systems, ensuring neither is modified in an unauthorized manner

Availability

� Ensures the system or data is available and executes in a predictable manner with an acceptable level of performance

Confidentiality

� Prevents unauthorized disclosure of sensitive information by ensuring that the necessary level of secrecy is in place at each junction of data processing


Rules & Policies..Rules & Policies..


Top 10 Information Security Trends of 2008Top 10 Information Security Trends of 2008

1. Increasingly Sophisticated Website Attacks That Exploit Browser Vulnerabilities

2. Increasing Sophistication and Effectiveness in Botnets

3. Cyber Espionage Efforts by Well Resourced Organizations

4. Mobile Phone Threats, Especially Against iPhones and Google’s Android-Based Phones

5. Insider Attacks


Top 10 Information Security Trends of 2008Top 10 Information Security Trends of 2008

6. Advanced Identity Theft from Persistent Bots

7. Increasingly Malicious Spyware

8. Web Application Security Exploits

9. Increasingly Sophisticated Social Engineering Including BlendingPhishing with VOIP

10. Supply Chain Attacks That Infect Consumer Devices


Security Highlight: Presidential Election Security Highlight: Presidential Election -- USUS

�Setting the stage:

� It’s impossible to predict the future; BUT we can

� Speculate

� Make educated guesses

� Learn from past experiences

�Much of what we’ll discuss:

� Has been demonstrated before; BUT

� Can be easily applied to the electoral system


The Internet and our Electoral SystemThe Internet and our Electoral System

�Internet increasingly relied on for voter communications

�Used extensively in 2004; overshadowed in 2008

�Important to understand the associated risks

�One need only examine current threats

� Adware, Spyware, Malicious Code

� Typo Squatting, SPAM, Phishing, Fraud, Identity Theft

� Dissemination of misinformation

� Invasion of privacy

�Emphasis will be on US Presidential Election 2008 but can be applied everywhere


Threat: Typo SquattingThreat: Typo Squatting

�Early 1990s was the wild west� No precedence on domain name disputes� Speculation and infringement ran rampant

�UDRP – Uniform Domain Name Dispute Resolution Policy� Created by ICANN in 1999� Implemented by WIPO – World Intellectual Property Organization� Provides a framework; but does not prevent infringement

�Anticybersquatting Consumer Protect Act� Took effect on November 29th, 1999� Provides a legal remedy and recovery of monetary damages

�Low Cost of domain registration continues to drive infringement


Examples DisputesExamples Disputes

Julia Roberts (juliaroberts.com)


Typo Squatting AnalysisTypo Squatting Analysis

Mistakes include:�Missing the first ‘.’ delimiter: wwwmittromney.com�Missing a character in the name (t) www.mitromney.com�Hitting a surrounding character (r) www.mitrromney.com�Adding an additional character (t) www.mitttromney.com�Reversing two characters (im) www.imttromney.com


Typo Squatting Typo Squatting –– August 2007August 2007


Typo Squatting Typo Squatting –– February 2008February 2008


Example Registered Typo SitesExample Registered Typo Sites








What you see might not be true..What you see might not be true..


Security Highlight Security Highlight –– Zero Day AttackZero Day Attack

�A zero-day (or zero-hour) attack or threat is a computer threat that tries to exploit unknown, undisclosed or unpatched computer application vulnerabilities. The term Zero Day is also used to describe unknown or Zero day viruses.


Environment, Attacker, TargetEnvironment, Attacker, Target


Environment PropertyEnvironment Property

�World Events

�Political and Cultural Environment

� Significant Events

� Resultant China/US “hacker war”

�Patriotism

�Cultural: “Right” to hack

�Safety behind the monitor


Attack Capability AnalysisAttack Capability Analysis

�‘Natural’ Nation State Resources

� Finance

� Capabilities (exploit and mapping)

� Other pre-existing intel capabilities

�Nation States

� N.Korea / China (for example)


Attack Motivation AnalysisAttack Motivation Analysis

�Nation State Coercion

� Voluntary

� Inspire attacks via nationalism

� Turn a blind eye towards activity

� Refuse to cooperate with international investigations

� Mandatory

� Issue “orders” to attack


Threat SpectrumThreat Spectrum

�So how urgent is the threat?

� Terrorist broadcasting of intentions

In a matter of time you will see attacks on the stock market. I would not be surprised if tomorrow I hear of a big economic collapse because of somebody attacking the main technical systems in big companies.” – Sheikh Omar Bakri Muhammad

� Cultural conceptions in time

� Acknowledgement of the potential capability does not mean an attack will occur in the near time


Omar Omar BakriBakri Muhammad Muhammad -- ProfileProfile


What the attack might look like?What the attack might look like?

�Increase or augment the impact of physical attack

�Attack supporting infrastructures (telecom, medical, transportation, power, etc.)

�Attack complimentary infrastructures (finance, national airspace systems)


CyberwarCyberwar


Summary of Types of AttacksSummary of Types of Attacks

� Physical

� Lowest paid employees have greatest accessibility to our systems

� Social

� People tend to trust people

� Network

� What you can’t see can hurt you


PhysicalPhysical

� Attack

� People paid to look the other way, theft

• >$120 billion loss in employee fraud for 2000

� Disgruntled ex-employee/spouse

� Distractions for support staff (sugar in tank)

� Defend

� Encrypt the system and laptops

� Do secure remote backups

� Use biometric identification


Malaysia Car Thieves Steal FingerMalaysia Car Thieves Steal Finger


SocialSocial

� Attack

� Giving false credentials to reset password

� Forged email, trojan attachment

• 37% of people surveyed would read email entitled “ILOVEYOU” and launch the attachment

� Claim from help desk, get root on desktop

� Defend

� Do not give passwords over the phone

� Exit interview, removal of authorization

� Challenge strangers for ID

� Do callback to main number for verification

� Sign email, do not allow attachments


Passwords = Socks ??Passwords = Socks ??


NetworkNetwork

� Attack

� Eavesdropping

� Data modification

� Identity spoofing

� Password based attack

� Denial of Service (DoS)

� Man-in-the-middle

� Wireless cracking

� Sniffer attack

� Application layer attack


NetworkNetwork

� Defend

� Do not allow non-job/untrusted applications

� Harden passwords or use biometrics

� Proactive scanning of subnets, security audits

� Enforce security policies regardless of status

� Do not give users administrative rights


ConclusionConclusion

Security

� Is like an onion

� The more layers a hacker is required to peel, the more they’re liable to cry & move on

� Should not be an afterthought

� If it is not designed in, its tacked on

� Should be proactive, not retroactive

� Better to do fire prevention than smoke inhalation


Question & AnswersQuestion & Answers


Thank You

Documents

DP SECURE 2008 - Dataprep Holdings Bhd · DP SECURE 2008 SCARING YOU SECURE... INSIGHT INTO THE IT SECURITY JUNGLE ... BNM GPIS 1, HIPPA, Graham Leach Bliley …