Agenda
• 10,000 meters view
• Let’s get into some „lies”
• Where is my PS3 data?
• What does it mean to me?
• Lessons learned
DECSpam
MorrisWorm
Mafiaboy
Iloveyou
TJX
Estonia
Georgia
1980 1985 1990 1995 2000 2005 2010
Aurora
Stuxnet
Com
plex
ity /
Sop
hist
icat
ion
/ B
usin
ess
Impa
ct /
Nat
iona
l im
pact
1978 –first spam incident hits 393 users
1988 –first
Internet worm
2000 – DoSattacks on
Yahoo, eBay, CNN, Amazon
& Dell
2000 – Worm + Social Engineering. Spreads WW in 1 day. ~50M infections, $5.5B in
damage. 2005/6 –Hackers
compromise ~45M credit / debit cards
2007 – DDoSattacks during
row with Russia target
critical infrastructure
2008 – Cyber attacks
coordinated with “real”invasion
2009 – “Advanced Persistent Threat” for industrial espionage
2010 – Military grade op targets
SCADA gear in Iran
SCRIPT KIDDIES
AMATEUR GROUPS
SEMI-PROS
BLACKHATS
INDUSTRIAL ESPIONAGE
ORGANIZEDCRIME
NATION STATES
TERRORISTS
Misguided Individuals
Vendors Reporting the Largest Number of Vulnerability Disclosures in History
■ Vulnerability disclosures up 27%.• Web applications continue to be the
largest category of disclosure.
■ Significant increase across the board signifies efforts that are going on throughout the software industry to improve software quality and identify and patch vulnerabilities.
Patches Still Unavailable for Many Vulnerabilities
■ 44% of all vulnerabilities disclosed in 2010 had no vendor-supplied patches to remedy the vulnerability.
■ Most patches become available for most vulnerabilities at the same time that they are publicly disclosed.
■ However some vulnerabilities are publicly disclosed for many weeks before patches are released.
Patch Release Timing – First 8 Weeks of 2010
Public Exploit Exposures Up in 2010■ Public exploit disclosures up 21% in 2010 versus
2009• Approximately 14.9% of the vulnerabilities disclosed
in 2010 had public exploits, which is down slightly from the 15.7% last year
• However more vulnerabilities were disclosed this year, so the total number of exploits increased.
• The vast majority of public exploits are released the same day or in conjunction with public disclosure of the vulnerability.
Exploit Effort vs. Potential Reward
■ Economics continue to play heavily into the exploitation probability of a vulnerability
■ All but one of the 25 vulnerabilities in the top right are vulnerabilities in the browser, the browser environment, or in email clients.
■ The only vulnerability in this category that is not a browser or email client side issue is the LNK file vulnerability that the Stuxnet worm used to exploit computers via malicious USB keys.
Top Attacks seen by X-Force in 2010
■ Automated SQL Injection attacks■ Lateral scanning of the entire
Internet for services with weak passwords
■ The SQL Slammer worm was responsible for a huge amount of malicious traffic in 2010 but traffic levels dropped off significantly in March, 2011. (For more info see the Frequency-X Blog.)
Web App Vulnerabilities Continue to Dominate
■ Nearly half (49%) of all vulnerabilities are Web application vulnerabilities.
■ Cross-Site Scripting & SQL injection vulnerabilities continue to dominate.
SQL Injection Attacks
• During each of the past three years, there has
been a globally scaled SQL injection attack
some time during the months of May through
August.
• The anatomy of these attacks is generally the
same: they target .ASP pages that are
vulnerable to SQL injection.
2010
2009
2008
Real World Conclusions from Web App Assessments
■ In 2010, for the first time, we now find that Cross-Site Request Forgery (CRSF) vulnerabilities are more likely to be found in our testing than Cross-Site Scripting (XSS) vulnerabilities.
■ XSS and SQL injection are both attributed directly to a lack of input control. The likelihood of finding it in 2010 is more than 60%.
Client-Side Vulnerabilities: Web Browser, Document Re ader & Multimedia Player Vulnerabilities Continue to Impact End Users
■ Web browsers and their plug-ins continue to be the largest category of client-side vulnerabilities.
■ 2010 saw an increase in the volume of disclosures in document readers and editors as well as multimedia players.
Suspicious Web Pages and Files Show No Sign of Warning
■ Obfuscation activity continued to increase during 2010.
■ Attackers never cease to find new ways to disguise their malicious traffic via JavaScript and PDF obfuscation.
• Obfuscation is a technique used by software developers and attackers alike to hide or mask the code used to develop their applications.
The SONY Breach
• If you haven't heard, the breach included;
– 100+ Million data base records of undisclosed content
– loss of 10 Million credit card numbers and supporting customer data
– their $$$$ transactional website has been down for a month+
– the breach is expected to cost them 1.5 billion dollars -http://www.totaltele.com/view.aspx?ID=464556
– new breaches reported over time
• There have been many rumors about how the attack was achieved.
– many have said it had something to do with an insider
– it has been said that it was straight SQL injection etc.
– it has been said that ANONYMOUS did it because they warned Sony that they were sending customer data in the clear and Sony ignoredthem. So Anonymous decided it was time to teach them a lesson.
If I give my credit card to a web site, I want at a minimum:
• Mandatory web app security assesment including code review
• Vulenerability managment program
• IPS looking out for malicious activity
• Server protection on my web server and my database servers
• DAM looking out for my database access
• DLP protection in my network
Perimeter Defenses No Longer Sufficient
“A fortress mentality will not work in cyber. We c annot retreat behind a Maginot Line of firewalls.”
Outsourcing
Web-Facing Apps
Legacy App Integration/SOA
Employee Self-Service, Partners & Suppliers
Insiders (DBAs, developers, outsourcers, etc.)
Stolen Credentials (Zeus, etc.)
- William J. Lynn III, U.S. Deputy Defense Secretary
Security Testing TechnologiesCombination Delivers a Comprehensive Solution
Static Code Analysis = Whitebox
•Scanning source code for security issues
Dynamic Analysis = Blackbox
�Performing security analysis of a compiled application
Total PotentialTotal Potential
Security IssuesSecurity Issues
DynamicDynamic
AnalysisAnalysisStaticStatic
AnalysisAnalysisBest
Coverage
Vulnerability Management in action
18
Explore web site / os / application to detect flaws
Identify Vulnerabilities ranked after severity and show how it
was identified
Advanced remediation, fix recommendations and security
enablement
Intrusion prevention just got smarter with
extensible protection backed by the power of X-
Force
What It Does:Shields vulnerabilities from exploitation independent of a software patch, and enables a responsible patch management process that can be adhered to without fear of a breach
Why Important:At the end of 2010, 44% of all vulnerabilities disclosed during the year had no vendor-supplied patches available to remedy the vulnerability.
What It Does:Detects and prevents entire classes of threats as opposed to a specific exploit or vulnerability.
Why Important:Eliminates need of constant signature updates. Protection includes the proprietary Shellcode Heuristics (SCH) technology, which has an unbeatable track record of protecting against zero day vulnerabilities.
What It Does:Monitors and identifies unencrypted personally identifiable information (PII) and other confidential information for data awareness. Also provides capability to explore data flow through the network to help determine if any potential risks exist.
Why Important:Flexible and scalable customized data search criteria; serves as a complement to data security strategy.
What It Does:Protects web applications against sophisticated application-level attacks such as SQL Injection, XSS (Cross-site scripting), PHP file-includes, CSRF (Cross-site request forgery).
Why Important:Expands security capabilities to meet both compliance requirements and threat evolution.
What It Does:Manages control of unauthorized applications and risks within defined segments of the network, such as ActiveX fingerprinting, Peer To Peer, Instant Messaging, and tunneling.
Why Important:Enforces network application and service access based on corporate policy and governance.
What It Does:Protects end users against attacks targeting applications used everyday such as Microsoft Office, Adobe PDF, Multimedia files and Web browsers.
Why Important:At the end of 2010, vulnerabilities, which affect personal computers, represent the second-largest category of vulnerability disclosures and represent about a fifth of all vulnerability disclosures.
IBM Intrusion Prevention System
Virtual Patch Client-Side Application Protection
Web Application Protection
Threat Detection & Prevention
Data Security Application Control
IBM Virtual Server Protection for VMwareIntegrated threat protection for VMware ESX and ESXi
Helps to be more secure, compliant and cost-effecti ve by delivering integrated and optimized security for virtual data centers.
■ VMsafe Integration
■ Firewall and Intrusion Prevention
■ Rootkit Detection/Prevention
■ Inter-VM Traffic Analysis
■ Automated Protection for Mobile VMs (VMotion)
■ Virtual Network Segment Protection
■ Virtual Network-Level Protection
■ Virtual Infrastructure Auditing (Privileged User)
■ Virtual Network Access Control
IBM Virtual Server Protection for VMware
Non-Invasive, Real-Time Database Security & Monitorin g
• Continuously monitors all database activities (including local access by superusers)
• Heterogeneous, cross-DBMS solution
• Does not rely on native DBMS logs
• Minimal performance impact (2-3%)
• No DBMS or application changes
• Supports Separation of Duties
• Activity logs can’t be erased by attackers or DBAs
• Automated compliance reporting, sign-offs & escalations (SOX, PCI, NIST, etc.)
• Granular, real-time policies & auditing• Who, what, when, where, how
Enterprise Content Protection (ECP) aka DLP
• Automated discovery of sensitive content, classifying / tagging of files
• Policy-based enforcement of data protection policy
(notify, block, encrypt, remove, relocate)
• Close the gap between user action and automated policy-enforced action
• Endpoint – Network – Server / Data Center
• Key Business Partners:
– Fidelis Security Systems
– Verdasys
Lessons learned and what to do next
• Hacking is more organized, well funded and highly motived then ever
• Economics and politics play an important role in the exploitation schemes
• There is no such a thing as a magic sliver bullet
• We need multilayered approach
• We all need to work closely and do our homework
How to get more info about IBM Security Solutions?
• Contact me !!!
• IBM X-Force Blog & Reports!!!
– http://blogs.iss.net/
– https://www.ibm.com/services/us/iss/xforce/trendreports/
• IBM Institiute for Advanced Security
– http://www.instituteforadvancedsecurity.com/
• IBM Security Solutions YouTube channel
– http://www.youtube.com/user/IBMSecuritySolutions
• IBM Security Solutions Tweeter
– https://twitter.com/#!/ibmsecurity
• IBM Redbooks / Redpapers regarding security
– http://www.redbooks.ibm.com
24
IBM Security Solutions
Function / Capability Candidate IBM Solutions 1. Establish the Cloud infrastructure:
• IBM Tivoli Service Automation Manager • IBM Tivoli Monitoring • IBM Service Delivery Manager • IBM Cloud Architecture / Design Services
2. Establish and Enforce Security Policy & Governance Structure
• IBM Professional Security Services • IBM Tivoli Security Policy Manager • IBM Websphere Datapower SOA Appliance • IBM Tivoli Security Incident & Event Manager • IBM InfoSphere Guardium
3. Discover & Categorize Information Assets • IBM InfoSphere Optim • IBM InfoSphere Guardium
4. Establish & Manage Identities and Access • IBM Tivoli Identity Manager • IBM Tivoli Access Manager • IBM Tivoli Federated Identity Manager • IBM Tivoli Security Incident & Event Manager • IBM Privileged Identity Management
5. Manage Information Access • IBM InfoSphere Guardium
IBM Security Solutions
Function / Capability Candidate IBM Solutions 6. Cyber Defense • IBM AppScan
• IBM Managed Security Services • IBM Proventia Threat Mitigation Products • IBM Tivoli Endpoint Manager (BigFix) • IBM Security Virtual Server Protection • IBM X-Force Threat Analysis Service (XFTAS)
7. Physical Security • IBM Physical Security Services – Digital Video Surveillance
8. COP / Situational Awareness / Compliance Reporting
• IBM Tivoli Security Incident & Event Manager • IBM InfoSphere Guardium • IBM Tivoli Monitoring • IBM Proventia Management SiteProtector • IBM Tivoli Netcool OMNIbus
9. Advanced Analytics / Intuitive Situational Awareness / Sense and Respond Cyber Defense
• IBM Research • IBM InfoSphere Streams • IBM CognosNow • IBM Tivoli Service Automation Manager • IBM Service Delivery Manager