Upload
vuongkhuong
View
219
Download
5
Embed Size (px)
Citation preview
© 2008 Dataprep Holdings Bhd. All Rights Reserved.
DP SECURE 2008DP SECURE 2008DP SECURE 2008DP SECURE 2008
SCARING YOU SECURE...SCARING YOU SECURE...SCARING YOU SECURE...SCARING YOU SECURE...
INSIGHT INTO THE INSIGHT INTO THE INSIGHT INTO THE INSIGHT INTO THE IT SECURITY JUNGLE IT SECURITY JUNGLE IT SECURITY JUNGLE IT SECURITY JUNGLE
BYBYBYBY
DALBIRDALBIRDALBIRDALBIR SINGH, CISSPSINGH, CISSPSINGH, CISSPSINGH, CISSP+60192109229+60192109229+60192109229+60192109229
[email protected]@[email protected]@DP.IO2IO.COM
Page 2© 2008 Dataprep Holdings Bhd. All Rights Reserved.
AgendaAgenda
�Insight to IT Security
�Threats and Technology
�Anticipated Top 10 Information Security Trends of 2008
�Security Highlight
� Presidential Election – US
� Zero Day Attack
�Conclusion
Page 3© 2008 Dataprep Holdings Bhd. All Rights Reserved.
Why TodayWhy Today’’s Presentation?s Presentation?
� Creating an awareness of the technology risks is a step in helping the user community take necessary precautions
� There is a need to be more PROACTIVE when it comes to technology security
� We need to understand that in many cases, technology alone cannot solve security problems
� Providing users with information that can be used to help make their technology environment more secure is a win-win situation
Page 4© 2008 Dataprep Holdings Bhd. All Rights Reserved.
Key Issues Facing Customers TodayKey Issues Facing Customers Today
These Issues Are
Common
to the Computer
and Network
LayersSecurity
• Threats• Theft• Loss• Response time
Application and Service Optimization
• Enablers• Awareness• App management• Performance/optimization• Resilience
Simplification
• Scale• Cost• Staffing• Integration and systems management
Page 5© 2008 Dataprep Holdings Bhd. All Rights Reserved.
Security Incidents 2007 Security Incidents 2007 –– CSI Computer Crime & CSI Computer Crime &
SecuritySecurity
Page 6© 2008 Dataprep Holdings Bhd. All Rights Reserved.
Dollar Amount Losses by Type of AttackDollar Amount Losses by Type of Attack
Page 7© 2008 Dataprep Holdings Bhd. All Rights Reserved.
Security Technologies UsedSecurity Technologies Used
Page 8© 2008 Dataprep Holdings Bhd. All Rights Reserved.
Techniques Used to Evaluate Effectiveness of Techniques Used to Evaluate Effectiveness of
Security TechnologiesSecurity Technologies
Page 9© 2008 Dataprep Holdings Bhd. All Rights Reserved.
Techniques Used to Evaluate Techniques Used to Evaluate EffectivenesEffectivenes of of
Security Awareness TrainingSecurity Awareness Training
Page 10© 2008 Dataprep Holdings Bhd. All Rights Reserved.
Actions Taken Following an IncidentActions Taken Following an Incident
Page 11© 2008 Dataprep Holdings Bhd. All Rights Reserved.
Reasons for NOT ReportingReasons for NOT Reporting
Page 12© 2008 Dataprep Holdings Bhd. All Rights Reserved.
Key FindingsKey Findings
�The average annual lost reported in this year’s survey shot up to $350,424 from $168,000 the previous year. Not since the 2004 report have average losses been this high.
�Almost one-fifth (18%) of those respondents who suffered one or more kinds of security incident further said they’d suffered a “targeted attack”, defined as malware attack aimed exclusively at their organization.
�Insider abuse of network access or e-mail (such as trafficking in pornography or pirated software) edged out virus incidents as the most prevalent security problem, with 59 and 52 percent of respondents reporting each respectively.
�When asked generally whether they’d suffered a security incident, 46 percent of respondents said yes, down from 53 percent last year and 56 percent the year before.
Page 13© 2008 Dataprep Holdings Bhd. All Rights Reserved.
What is Security?What is Security?
Merriam-Webster’s Collegiate Dictionary
� Main Entry : se cu ri ty
� Pronounciation : si-’kyur-&-tE
� 1. The quality or state of being secure: as
� a: freedom from danger : SAFETY
� b: freedom from fear and anxiety
� c: freedom from the prospect of being laid off
� 2.
� a: Something given, deposited, or pledged to make certain the
fulfillment of an obligation: SURETY
� 3. An evidence of debt or ownership
Page 14© 2008 Dataprep Holdings Bhd. All Rights Reserved.
What is Security?What is Security?
� 4.
� a: something that secures: PROTECTION
� b:
• i: measures taken to guard against espionage or sabotage, crime, attack or escape
• ii: an organization or department whose task is security
Page 15© 2008 Dataprep Holdings Bhd. All Rights Reserved.
Why should you care?Why should you care?
� The bottom line = $$$
� Risk assessment to loss of systems
• What is the $/hr for a end user workstation
• What is the $/day for a server
• What is the $/week, month, year for a critical system
� Worst Case
� Production banner goes down and never comes back
Page 16© 2008 Dataprep Holdings Bhd. All Rights Reserved.
Why should you care?Why should you care?
� Liability = Responsibility
� State and federal guidelines for IT data, systems and security
• What would be the legal ramifications if somebody broke in and stole all the client info? Email addresses for spam?
� Worst Case
� System insecurity leads to a leak of confidential information which
results in a very big lawsuit
Page 17© 2008 Dataprep Holdings Bhd. All Rights Reserved.
Why should you care?Why should you care?
� Damages prestige of the company
� Bad press directly/indirectly influences:
• Department, staff and clients
• Potential staff and clients
� Causes the company to become a known target
• Weak security = easy target
• Word gets around VERY QUICKLY in hackerdom
� Worst Case
� NST/Star front page article deriding you, your department and
company
Page 18© 2008 Dataprep Holdings Bhd. All Rights Reserved.
The Big FallacyThe Big Fallacy
� “There’s nothing on my computer anybody would want!”a non IT manager
� Would you want everyone/anyone to:
• Look at the web sites you’ve visited?
• Read all your email?
• Write email with your userid?
• Use any credit cards you’ve used online?
• Alter/delete data on your system?
• Hijack your system for further attacks to other systems?
Page 19© 2008 Dataprep Holdings Bhd. All Rights Reserved.
Threats Continue to EvolveThreats Continue to Evolve
Page 20© 2008 Dataprep Holdings Bhd. All Rights Reserved.
So Many New Security TechnologiesSo Many New Security Technologies
Page 21© 2008 Dataprep Holdings Bhd. All Rights Reserved.
Evolution of Security ChallengesEvolution of Security Challenges
GlobalInfrastructure
impact
RegionalNetworks
MultipleNetworks
IndividualNetworks
IndividualComputer
Target and Scope of Damage
1980s 1990s Today Future
Seconds
Minutes
Next Gen
2nd Gen
Days3rd Gen
1st Gen
Weeks
Time from knowledge Time from knowledge of vulnerability to release of vulnerability to release of exploit is shrinkingof exploit is shrinking
Page 22© 2008 Dataprep Holdings Bhd. All Rights Reserved.
Virus and Worm AttacksVirus and Worm Attacks
Page 23© 2008 Dataprep Holdings Bhd. All Rights Reserved.
Instant Macro Virus MakerInstant Macro Virus Maker
Page 24© 2008 Dataprep Holdings Bhd. All Rights Reserved.
Regulatory Compliance and the Regulatory Compliance and the ““IAC TriadIAC Triad””
Regulatory compliance
� BNM GPIS 1, HIPPA, Graham Leach Bliley (GLB), Sarbanes Oxley (SOX), Basel II, EPA
Integrity
� Assures accuracy and reliability of data and systems, ensuring neither is modified in an unauthorized manner
Availability
� Ensures the system or data is available and executes in a predictable manner with an acceptable level of performance
Confidentiality
� Prevents unauthorized disclosure of sensitive information by ensuring that the necessary level of secrecy is in place at each junction of data processing
Page 25© 2008 Dataprep Holdings Bhd. All Rights Reserved.
Rules & Policies..Rules & Policies..
Page 26© 2008 Dataprep Holdings Bhd. All Rights Reserved.
Top 10 Information Security Trends of 2008Top 10 Information Security Trends of 2008
1. Increasingly Sophisticated Website Attacks That Exploit Browser Vulnerabilities
2. Increasing Sophistication and Effectiveness in Botnets
3. Cyber Espionage Efforts by Well Resourced Organizations
4. Mobile Phone Threats, Especially Against iPhones and Google’s Android-Based Phones
5. Insider Attacks
Page 27© 2008 Dataprep Holdings Bhd. All Rights Reserved.
Top 10 Information Security Trends of 2008Top 10 Information Security Trends of 2008
6. Advanced Identity Theft from Persistent Bots
7. Increasingly Malicious Spyware
8. Web Application Security Exploits
9. Increasingly Sophisticated Social Engineering Including BlendingPhishing with VOIP
10. Supply Chain Attacks That Infect Consumer Devices
Page 28© 2008 Dataprep Holdings Bhd. All Rights Reserved.
Security Highlight: Presidential Election Security Highlight: Presidential Election -- USUS
�Setting the stage:
� It’s impossible to predict the future; BUT we can
� Speculate
� Make educated guesses
� Learn from past experiences
�Much of what we’ll discuss:
� Has been demonstrated before; BUT
� Can be easily applied to the electoral system
Page 29© 2008 Dataprep Holdings Bhd. All Rights Reserved.
The Internet and our Electoral SystemThe Internet and our Electoral System
�Internet increasingly relied on for voter communications
�Used extensively in 2004; overshadowed in 2008
�Important to understand the associated risks
�One need only examine current threats
� Adware, Spyware, Malicious Code
� Typo Squatting, SPAM, Phishing, Fraud, Identity Theft
� Dissemination of misinformation
� Invasion of privacy
�Emphasis will be on US Presidential Election 2008 but can be applied everywhere
Page 30© 2008 Dataprep Holdings Bhd. All Rights Reserved.
Threat: Typo SquattingThreat: Typo Squatting
�Early 1990s was the wild west� No precedence on domain name disputes� Speculation and infringement ran rampant
�UDRP – Uniform Domain Name Dispute Resolution Policy� Created by ICANN in 1999� Implemented by WIPO – World Intellectual Property Organization� Provides a framework; but does not prevent infringement
�Anticybersquatting Consumer Protect Act� Took effect on November 29th, 1999� Provides a legal remedy and recovery of monetary damages
�Low Cost of domain registration continues to drive infringement
Page 31© 2008 Dataprep Holdings Bhd. All Rights Reserved.
Examples DisputesExamples Disputes
Julia Roberts (juliaroberts.com)
Page 32© 2008 Dataprep Holdings Bhd. All Rights Reserved.
Typo Squatting AnalysisTypo Squatting Analysis
Mistakes include:�Missing the first ‘.’ delimiter: wwwmittromney.com�Missing a character in the name (t) www.mitromney.com�Hitting a surrounding character (r) www.mitrromney.com�Adding an additional character (t) www.mitttromney.com�Reversing two characters (im) www.imttromney.com
Page 33© 2008 Dataprep Holdings Bhd. All Rights Reserved.
Typo Squatting Typo Squatting –– August 2007August 2007
Page 34© 2008 Dataprep Holdings Bhd. All Rights Reserved.
Typo Squatting Typo Squatting –– February 2008February 2008
Page 35© 2008 Dataprep Holdings Bhd. All Rights Reserved.
Example Registered Typo SitesExample Registered Typo Sites
Page 36© 2008 Dataprep Holdings Bhd. All Rights Reserved.
Example Registered Typo SitesExample Registered Typo Sites
Page 37© 2008 Dataprep Holdings Bhd. All Rights Reserved.
Example Registered Typo SitesExample Registered Typo Sites
Page 38© 2008 Dataprep Holdings Bhd. All Rights Reserved.
Example Registered Typo SitesExample Registered Typo Sites
Page 39© 2008 Dataprep Holdings Bhd. All Rights Reserved.
What you see might not be true..What you see might not be true..
Page 40© 2008 Dataprep Holdings Bhd. All Rights Reserved.
Security Highlight Security Highlight –– Zero Day AttackZero Day Attack
�A zero-day (or zero-hour) attack or threat is a computer threat that tries to exploit unknown, undisclosed or unpatched computer application vulnerabilities. The term Zero Day is also used to describe unknown or Zero day viruses.
Page 41© 2008 Dataprep Holdings Bhd. All Rights Reserved.
Environment, Attacker, TargetEnvironment, Attacker, Target
Page 42© 2008 Dataprep Holdings Bhd. All Rights Reserved.
Environment PropertyEnvironment Property
�World Events
�Political and Cultural Environment
� Significant Events
� Resultant China/US “hacker war”
�Patriotism
�Cultural: “Right” to hack
�Safety behind the monitor
Page 43© 2008 Dataprep Holdings Bhd. All Rights Reserved.
Attack Capability AnalysisAttack Capability Analysis
�‘Natural’ Nation State Resources
� Finance
� Capabilities (exploit and mapping)
� Other pre-existing intel capabilities
�Nation States
� N.Korea / China (for example)
Page 44© 2008 Dataprep Holdings Bhd. All Rights Reserved.
Attack Motivation AnalysisAttack Motivation Analysis
�Nation State Coercion
� Voluntary
� Inspire attacks via nationalism
� Turn a blind eye towards activity
� Refuse to cooperate with international investigations
� Mandatory
� Issue “orders” to attack
Page 45© 2008 Dataprep Holdings Bhd. All Rights Reserved.
Threat SpectrumThreat Spectrum
�So how urgent is the threat?
� Terrorist broadcasting of intentions
In a matter of time you will see attacks on the stock market. I would not be surprised if tomorrow I hear of a big economic collapse because of somebody attacking the main technical systems in big companies.” – Sheikh Omar Bakri Muhammad
� Cultural conceptions in time
� Acknowledgement of the potential capability does not mean an attack will occur in the near time
Page 46© 2008 Dataprep Holdings Bhd. All Rights Reserved.
Omar Omar BakriBakri Muhammad Muhammad -- ProfileProfile
Page 47© 2008 Dataprep Holdings Bhd. All Rights Reserved.
What the attack might look like?What the attack might look like?
�Increase or augment the impact of physical attack
�Attack supporting infrastructures (telecom, medical, transportation, power, etc.)
�Attack complimentary infrastructures (finance, national airspace systems)
Page 48© 2008 Dataprep Holdings Bhd. All Rights Reserved.
CyberwarCyberwar
Page 49© 2008 Dataprep Holdings Bhd. All Rights Reserved.
Summary of Types of AttacksSummary of Types of Attacks
� Physical
� Lowest paid employees have greatest accessibility to our systems
� Social
� People tend to trust people
� Network
� What you can’t see can hurt you
Page 50© 2008 Dataprep Holdings Bhd. All Rights Reserved.
PhysicalPhysical
� Attack
� People paid to look the other way, theft
• >$120 billion loss in employee fraud for 2000
� Disgruntled ex-employee/spouse
� Distractions for support staff (sugar in tank)
� Defend
� Encrypt the system and laptops
� Do secure remote backups
� Use biometric identification
Page 51© 2008 Dataprep Holdings Bhd. All Rights Reserved.
Malaysia Car Thieves Steal FingerMalaysia Car Thieves Steal Finger
Page 52© 2008 Dataprep Holdings Bhd. All Rights Reserved.
SocialSocial
� Attack
� Giving false credentials to reset password
� Forged email, trojan attachment
• 37% of people surveyed would read email entitled “ILOVEYOU” and launch the attachment
� Claim from help desk, get root on desktop
� Defend
� Do not give passwords over the phone
� Exit interview, removal of authorization
� Challenge strangers for ID
� Do callback to main number for verification
� Sign email, do not allow attachments
Page 53© 2008 Dataprep Holdings Bhd. All Rights Reserved.
Passwords = Socks ??Passwords = Socks ??
Page 54© 2008 Dataprep Holdings Bhd. All Rights Reserved.
NetworkNetwork
� Attack
� Eavesdropping
� Data modification
� Identity spoofing
� Password based attack
� Denial of Service (DoS)
� Man-in-the-middle
� Wireless cracking
� Sniffer attack
� Application layer attack
Page 55© 2008 Dataprep Holdings Bhd. All Rights Reserved.
NetworkNetwork
� Defend
� Do not allow non-job/untrusted applications
� Harden passwords or use biometrics
� Proactive scanning of subnets, security audits
� Enforce security policies regardless of status
� Do not give users administrative rights
Page 56© 2008 Dataprep Holdings Bhd. All Rights Reserved.
ConclusionConclusion
Security
� Is like an onion
� The more layers a hacker is required to peel, the more they’re liable to cry & move on
� Should not be an afterthought
� If it is not designed in, its tacked on
� Should be proactive, not retroactive
� Better to do fire prevention than smoke inhalation
Page 57© 2008 Dataprep Holdings Bhd. All Rights Reserved.
Question & AnswersQuestion & Answers
Page 58© 2008 Dataprep Holdings Bhd. All Rights Reserved.
Thank You