Robert Michalski

Security Tiger Team

Zapobieganie włamaniom w świetle

Aurory, Stuxnet, Anonymous

Agenda

• 10,000 meters view

• Let’s get into some „lies”

• Where is my PS3 data?

• What does it mean to me?

• Lessons learned

DECSpam

MorrisWorm

Mafiaboy

Iloveyou

TJX

Estonia

Georgia

1980 1985 1990 1995 2000 2005 2010

Aurora

Stuxnet

Com

plex

ity /

Sop

hist

icat

ion

/ B

usin

ess

Impa

ct /

Nat

iona

l im

pact

1978 –first spam incident hits 393 users

1988 –first

Internet worm

2000 – DoSattacks on

Yahoo, eBay, CNN, Amazon

& Dell

2000 – Worm + Social Engineering. Spreads WW in 1 day. ~50M infections, $5.5B in

damage. 2005/6 –Hackers

compromise ~45M credit / debit cards

2007 – DDoSattacks during

row with Russia target

critical infrastructure

2008 – Cyber attacks

coordinated with “real”invasion

2009 – “Advanced Persistent Threat” for industrial espionage

2010 – Military grade op targets

SCADA gear in Iran

SCRIPT KIDDIES

AMATEUR GROUPS

SEMI-PROS

BLACKHATS

INDUSTRIAL ESPIONAGE

ORGANIZEDCRIME

NATION STATES

TERRORISTS

Misguided Individuals

Vendors Reporting the Largest Number of Vulnerability Disclosures in History

■ Vulnerability disclosures up 27%.• Web applications continue to be the

largest category of disclosure.

■ Significant increase across the board signifies efforts that are going on throughout the software industry to improve software quality and identify and patch vulnerabilities.

Patches Still Unavailable for Many Vulnerabilities

■ 44% of all vulnerabilities disclosed in 2010 had no vendor-supplied patches to remedy the vulnerability.

■ Most patches become available for most vulnerabilities at the same time that they are publicly disclosed.

■ However some vulnerabilities are publicly disclosed for many weeks before patches are released.

Patch Release Timing – First 8 Weeks of 2010

Public Exploit Exposures Up in 2010■ Public exploit disclosures up 21% in 2010 versus

2009• Approximately 14.9% of the vulnerabilities disclosed

in 2010 had public exploits, which is down slightly from the 15.7% last year

• However more vulnerabilities were disclosed this year, so the total number of exploits increased.

• The vast majority of public exploits are released the same day or in conjunction with public disclosure of the vulnerability.

Exploit Effort vs. Potential Reward

■ Economics continue to play heavily into the exploitation probability of a vulnerability

■ All but one of the 25 vulnerabilities in the top right are vulnerabilities in the browser, the browser environment, or in email clients.

■ The only vulnerability in this category that is not a browser or email client side issue is the LNK file vulnerability that the Stuxnet worm used to exploit computers via malicious USB keys.

Top Attacks seen by X-Force in 2010

■ Automated SQL Injection attacks■ Lateral scanning of the entire

Internet for services with weak passwords

■ The SQL Slammer worm was responsible for a huge amount of malicious traffic in 2010 but traffic levels dropped off significantly in March, 2011. (For more info see the Frequency-X Blog.)

Web App Vulnerabilities Continue to Dominate

■ Nearly half (49%) of all vulnerabilities are Web application vulnerabilities.

■ Cross-Site Scripting & SQL injection vulnerabilities continue to dominate.

SQL Injection Attacks

• During each of the past three years, there has

been a globally scaled SQL injection attack

some time during the months of May through

August.

• The anatomy of these attacks is generally the

same: they target .ASP pages that are

vulnerable to SQL injection.

2010

2009

2008

Real World Conclusions from Web App Assessments

■ In 2010, for the first time, we now find that Cross-Site Request Forgery (CRSF) vulnerabilities are more likely to be found in our testing than Cross-Site Scripting (XSS) vulnerabilities.

■ XSS and SQL injection are both attributed directly to a lack of input control. The likelihood of finding it in 2010 is more than 60%.

Client-Side Vulnerabilities: Web Browser, Document Re ader & Multimedia Player Vulnerabilities Continue to Impact End Users

■ Web browsers and their plug-ins continue to be the largest category of client-side vulnerabilities.

■ 2010 saw an increase in the volume of disclosures in document readers and editors as well as multimedia players.

Suspicious Web Pages and Files Show No Sign of Warning

■ Obfuscation activity continued to increase during 2010.

■ Attackers never cease to find new ways to disguise their malicious traffic via JavaScript and PDF obfuscation.

• Obfuscation is a technique used by software developers and attackers alike to hide or mask the code used to develop their applications.

The SONY Breach

• If you haven't heard, the breach included;

– 100+ Million data base records of undisclosed content

– loss of 10 Million credit card numbers and supporting customer data

– their $$$$ transactional website has been down for a month+

– the breach is expected to cost them 1.5 billion dollars -http://www.totaltele.com/view.aspx?ID=464556

– new breaches reported over time

• There have been many rumors about how the attack was achieved.

– many have said it had something to do with an insider

– it has been said that it was straight SQL injection etc.

– it has been said that ANONYMOUS did it because they warned Sony that they were sending customer data in the clear and Sony ignoredthem. So Anonymous decided it was time to teach them a lesson.

If I give my credit card to a web site, I want at a minimum:

• Mandatory web app security assesment including code review

• Vulenerability managment program

• IPS looking out for malicious activity

• Server protection on my web server and my database servers

• DAM looking out for my database access

• DLP protection in my network

Perimeter Defenses No Longer Sufficient

“A fortress mentality will not work in cyber. We c annot retreat behind a Maginot Line of firewalls.”

Outsourcing

Web-Facing Apps

Legacy App Integration/SOA

Employee Self-Service, Partners & Suppliers

Insiders (DBAs, developers, outsourcers, etc.)

Stolen Credentials (Zeus, etc.)

- William J. Lynn III, U.S. Deputy Defense Secretary

Security Testing TechnologiesCombination Delivers a Comprehensive Solution

Static Code Analysis = Whitebox

•Scanning source code for security issues

Dynamic Analysis = Blackbox

�Performing security analysis of a compiled application

Total PotentialTotal Potential

Security IssuesSecurity Issues

DynamicDynamic

AnalysisAnalysisStaticStatic

AnalysisAnalysisBest

Coverage

Vulnerability Management in action

18

Explore web site / os / application to detect flaws

Identify Vulnerabilities ranked after severity and show how it

was identified

Advanced remediation, fix recommendations and security

enablement

Intrusion prevention just got smarter with

extensible protection backed by the power of X-

Force

What It Does:Shields vulnerabilities from exploitation independent of a software patch, and enables a responsible patch management process that can be adhered to without fear of a breach

Why Important:At the end of 2010, 44% of all vulnerabilities disclosed during the year had no vendor-supplied patches available to remedy the vulnerability.

What It Does:Detects and prevents entire classes of threats as opposed to a specific exploit or vulnerability.

Why Important:Eliminates need of constant signature updates. Protection includes the proprietary Shellcode Heuristics (SCH) technology, which has an unbeatable track record of protecting against zero day vulnerabilities.

What It Does:Monitors and identifies unencrypted personally identifiable information (PII) and other confidential information for data awareness. Also provides capability to explore data flow through the network to help determine if any potential risks exist.

Why Important:Flexible and scalable customized data search criteria; serves as a complement to data security strategy.

What It Does:Protects web applications against sophisticated application-level attacks such as SQL Injection, XSS (Cross-site scripting), PHP file-includes, CSRF (Cross-site request forgery).

Why Important:Expands security capabilities to meet both compliance requirements and threat evolution.

What It Does:Manages control of unauthorized applications and risks within defined segments of the network, such as ActiveX fingerprinting, Peer To Peer, Instant Messaging, and tunneling.

Why Important:Enforces network application and service access based on corporate policy and governance.

What It Does:Protects end users against attacks targeting applications used everyday such as Microsoft Office, Adobe PDF, Multimedia files and Web browsers.

Why Important:At the end of 2010, vulnerabilities, which affect personal computers, represent the second-largest category of vulnerability disclosures and represent about a fifth of all vulnerability disclosures.

IBM Intrusion Prevention System

Virtual Patch Client-Side Application Protection

Web Application Protection

Threat Detection & Prevention

Data Security Application Control

IBM Virtual Server Protection for VMwareIntegrated threat protection for VMware ESX and ESXi

Helps to be more secure, compliant and cost-effecti ve by delivering integrated and optimized security for virtual data centers.

■ VMsafe Integration

■ Firewall and Intrusion Prevention

■ Rootkit Detection/Prevention

■ Inter-VM Traffic Analysis

■ Automated Protection for Mobile VMs (VMotion)

■ Virtual Network Segment Protection

■ Virtual Network-Level Protection

■ Virtual Infrastructure Auditing (Privileged User)

■ Virtual Network Access Control

IBM Virtual Server Protection for VMware

Non-Invasive, Real-Time Database Security & Monitorin g

• Continuously monitors all database activities (including local access by superusers)

• Heterogeneous, cross-DBMS solution

• Does not rely on native DBMS logs

• Minimal performance impact (2-3%)

• No DBMS or application changes

• Supports Separation of Duties

• Activity logs can’t be erased by attackers or DBAs

• Automated compliance reporting, sign-offs & escalations (SOX, PCI, NIST, etc.)

• Granular, real-time policies & auditing• Who, what, when, where, how

Enterprise Content Protection (ECP) aka DLP

• Automated discovery of sensitive content, classifying / tagging of files

• Policy-based enforcement of data protection policy

(notify, block, encrypt, remove, relocate)

• Close the gap between user action and automated policy-enforced action

• Endpoint – Network – Server / Data Center

• Key Business Partners:

– Fidelis Security Systems

– Verdasys

Lessons learned and what to do next

• Hacking is more organized, well funded and highly motived then ever

• Economics and politics play an important role in the exploitation schemes

• There is no such a thing as a magic sliver bullet

• We need multilayered approach

• We all need to work closely and do our homework

How to get more info about IBM Security Solutions?

• Contact me !!!

• IBM X-Force Blog & Reports!!!

– http://blogs.iss.net/

– https://www.ibm.com/services/us/iss/xforce/trendreports/

• IBM Institiute for Advanced Security

– http://www.instituteforadvancedsecurity.com/

• IBM Security Solutions YouTube channel

– http://www.youtube.com/user/IBMSecuritySolutions

• IBM Security Solutions Tweeter

– https://twitter.com/#!/ibmsecurity

• IBM Redbooks / Redpapers regarding security

– http://www.redbooks.ibm.com

24

25

IBM Security Solutions

Function / Capability Candidate IBM Solutions 1. Establish the Cloud infrastructure:

• IBM Tivoli Service Automation Manager • IBM Tivoli Monitoring • IBM Service Delivery Manager • IBM Cloud Architecture / Design Services

2. Establish and Enforce Security Policy & Governance Structure

• IBM Professional Security Services • IBM Tivoli Security Policy Manager • IBM Websphere Datapower SOA Appliance • IBM Tivoli Security Incident & Event Manager • IBM InfoSphere Guardium

3. Discover & Categorize Information Assets • IBM InfoSphere Optim • IBM InfoSphere Guardium

4. Establish & Manage Identities and Access • IBM Tivoli Identity Manager • IBM Tivoli Access Manager • IBM Tivoli Federated Identity Manager • IBM Tivoli Security Incident & Event Manager • IBM Privileged Identity Management

5. Manage Information Access • IBM InfoSphere Guardium

IBM Security Solutions

Function / Capability Candidate IBM Solutions 6. Cyber Defense • IBM AppScan

• IBM Managed Security Services • IBM Proventia Threat Mitigation Products • IBM Tivoli Endpoint Manager (BigFix) • IBM Security Virtual Server Protection • IBM X-Force Threat Analysis Service (XFTAS)

7. Physical Security • IBM Physical Security Services – Digital Video Surveillance

8. COP / Situational Awareness / Compliance Reporting

• IBM Tivoli Security Incident & Event Manager • IBM InfoSphere Guardium • IBM Tivoli Monitoring • IBM Proventia Management SiteProtector • IBM Tivoli Netcool OMNIbus

9. Advanced Analytics / Intuitive Situational Awareness / Sense and Respond Cyber Defense

• IBM Research • IBM InfoSphere Streams • IBM CognosNow • IBM Tivoli Service Automation Manager • IBM Service Delivery Manager